CVE-2026-33334
Received Received - Intake
XSS in Vikunja Desktop Enables Remote Code Execution

Publication date: 2026-03-24

Last updated on: 2026-03-27

Assigner: GitHub, Inc.

Description
Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper enables `nodeIntegration` in the renderer process without `contextIsolation` or `sandbox`. This means any cross-site scripting (XSS) vulnerability in the Vikunja web frontend -- present or future -- automatically escalates to full remote code execution on the victim's machine, as injected scripts gain access to Node.js APIs. Version 2.2.0 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-24
Last Modified
2026-03-27
Generated
2026-06-16
AI Q&A
2026-03-24
EPSS Evaluated
2026-06-14
NVD
CVE-2026-33334
EUVD
EUVD-2026-14907
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vikunja vikunja From 0.21.0 (inc) to 2.2.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-33334 is a critical security vulnerability in Vikunja Desktop, an Electron-based application. The vulnerability exists because the Electron BrowserWindow is created with nodeIntegration enabled and lacks important security features like contextIsolation and sandbox.'}, {'type': 'paragraph', 'content': "This configuration allows any JavaScript running in the renderer process to access Node.js APIs, such as child_process, fs, net, and os. As a result, any cross-site scripting (XSS) vulnerability in the Vikunja web frontendβ€”whether existing or futureβ€”can escalate to full remote code execution (RCE) on the victim's machine."}, {'type': 'paragraph', 'content': 'In simpler terms, if an attacker can inject malicious scripts via XSS, those scripts can execute arbitrary system commands with the privileges of the user running the application, leading to a severe security risk.'}] [1]

Impact Analysis

This vulnerability can have a significant impact because it allows attackers to execute arbitrary code on your machine remotely if they exploit an XSS vulnerability in the Vikunja web frontend.

  • Attackers can run system commands with the same privileges as the user running Vikunja Desktop.
  • This could lead to data theft, installation of malware, or complete compromise of your system.
  • The attack surface is increased because even minor or future XSS vulnerabilities become critical due to the elevated privileges granted by nodeIntegration.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability arises from the Electron BrowserWindow being created with `nodeIntegration: true` and lacking security hardening options such as `contextIsolation` and `sandbox`. Detection involves verifying the configuration of the Vikunja Desktop Electron wrapper.'}, {'type': 'paragraph', 'content': 'To detect if your Vikunja Desktop installation is vulnerable, you can inspect the `desktop/main.js` file for the presence of `nodeIntegration: true` without accompanying security settings.'}, {'type': 'paragraph', 'content': 'There are no specific network commands provided to detect exploitation attempts, but you can look for suspicious execution of OS-level commands initiated by the Electron app, such as unexpected child processes spawned by `child_process.exec`.'}, {'type': 'paragraph', 'content': 'Example commands to check for running Vikunja Desktop processes and inspect their command line or behavior might include:'}, {'type': 'list_item', 'content': 'On Linux/macOS, check for running Vikunja Desktop processes: `ps aux | grep vikunja`'}, {'type': 'list_item', 'content': "Inspect the Electron app's main.js file for insecure settings: `grep -A 10 'BrowserWindow' desktop/main.js`"}, {'type': 'list_item', 'content': 'Monitor for suspicious child processes spawned by the Electron app, e.g., `ps -ef --forest` or using system monitoring tools to detect unexpected commands like `curl` or `bash` executions.'}] [1]

Mitigation Strategies

The primary mitigation is to upgrade Vikunja Desktop to version 2.2.0 or later, where this vulnerability is fixed.

If upgrading is not immediately possible, modify the Electron BrowserWindow creation in `desktop/main.js` to:

  • Set `nodeIntegration` to `false`
  • Enable `contextIsolation` by setting it to `true`
  • Enable `sandbox` by setting it to `true`
  • Set `webviewTag` to `false`
  • Set `navigateOnDragDrop` to `false`

If Node.js functionality is required in the renderer process, it should be exposed safely via a preload script using `contextBridge.exposeInMainWorld()` to minimize risk.

Additionally, review and sanitize any user-generated content or inputs to reduce the risk of XSS vulnerabilities that could be escalated.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33334. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart