CVE-2026-33334
XSS in Vikunja Desktop Enables Remote Code Execution
Publication date: 2026-03-24
Last updated on: 2026-03-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vikunja | vikunja | From 0.21.0 (inc) to 2.2.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-33334 is a critical security vulnerability in Vikunja Desktop, an Electron-based application. The vulnerability exists because the Electron BrowserWindow is created with nodeIntegration enabled and lacks important security features like contextIsolation and sandbox.'}, {'type': 'paragraph', 'content': "This configuration allows any JavaScript running in the renderer process to access Node.js APIs, such as child_process, fs, net, and os. As a result, any cross-site scripting (XSS) vulnerability in the Vikunja web frontendβwhether existing or futureβcan escalate to full remote code execution (RCE) on the victim's machine."}, {'type': 'paragraph', 'content': 'In simpler terms, if an attacker can inject malicious scripts via XSS, those scripts can execute arbitrary system commands with the privileges of the user running the application, leading to a severe security risk.'}] [1]
How can this vulnerability impact me? :
This vulnerability can have a significant impact because it allows attackers to execute arbitrary code on your machine remotely if they exploit an XSS vulnerability in the Vikunja web frontend.
- Attackers can run system commands with the same privileges as the user running Vikunja Desktop.
- This could lead to data theft, installation of malware, or complete compromise of your system.
- The attack surface is increased because even minor or future XSS vulnerabilities become critical due to the elevated privileges granted by nodeIntegration.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability arises from the Electron BrowserWindow being created with `nodeIntegration: true` and lacking security hardening options such as `contextIsolation` and `sandbox`. Detection involves verifying the configuration of the Vikunja Desktop Electron wrapper.'}, {'type': 'paragraph', 'content': 'To detect if your Vikunja Desktop installation is vulnerable, you can inspect the `desktop/main.js` file for the presence of `nodeIntegration: true` without accompanying security settings.'}, {'type': 'paragraph', 'content': 'There are no specific network commands provided to detect exploitation attempts, but you can look for suspicious execution of OS-level commands initiated by the Electron app, such as unexpected child processes spawned by `child_process.exec`.'}, {'type': 'paragraph', 'content': 'Example commands to check for running Vikunja Desktop processes and inspect their command line or behavior might include:'}, {'type': 'list_item', 'content': 'On Linux/macOS, check for running Vikunja Desktop processes: `ps aux | grep vikunja`'}, {'type': 'list_item', 'content': "Inspect the Electron app's main.js file for insecure settings: `grep -A 10 'BrowserWindow' desktop/main.js`"}, {'type': 'list_item', 'content': 'Monitor for suspicious child processes spawned by the Electron app, e.g., `ps -ef --forest` or using system monitoring tools to detect unexpected commands like `curl` or `bash` executions.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Vikunja Desktop to version 2.2.0 or later, where this vulnerability is fixed.
If upgrading is not immediately possible, modify the Electron BrowserWindow creation in `desktop/main.js` to:
- Set `nodeIntegration` to `false`
- Enable `contextIsolation` by setting it to `true`
- Enable `sandbox` by setting it to `true`
- Set `webviewTag` to `false`
- Set `navigateOnDragDrop` to `false`
If Node.js functionality is required in the renderer process, it should be exposed safely via a preload script using `contextBridge.exposeInMainWorld()` to minimize risk.
Additionally, review and sanitize any user-generated content or inputs to reduce the risk of XSS vulnerabilities that could be escalated.