CVE-2026-33334
Received Received - Intake

XSS in Vikunja Desktop Enables Remote Code Execution

Vulnerability report for CVE-2026-33334, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-24

Last updated on: 2026-03-27

Assigner: GitHub, Inc.

Description

Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper enables `nodeIntegration` in the renderer process without `contextIsolation` or `sandbox`. This means any cross-site scripting (XSS) vulnerability in the Vikunja web frontend -- present or future -- automatically escalates to full remote code execution on the victim's machine, as injected scripts gain access to Node.js APIs. Version 2.2.0 fixes the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-24
Last Modified
2026-03-27
Generated
2026-07-06
AI Q&A
2026-03-24
EPSS Evaluated
2026-07-04
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
vikunja vikunja From 0.21.0 (inc) to 2.2.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-33334 is a critical security vulnerability in Vikunja Desktop, an Electron-based application. The vulnerability exists because the Electron BrowserWindow is created with nodeIntegration enabled and lacks important security features like contextIsolation and sandbox.'}, {'type': 'paragraph', 'content': "This configuration allows any JavaScript running in the renderer process to access Node.js APIs, such as child_process, fs, net, and os. As a result, any cross-site scripting (XSS) vulnerability in the Vikunja web frontendβ€”whether existing or futureβ€”can escalate to full remote code execution (RCE) on the victim's machine."}, {'type': 'paragraph', 'content': 'In simpler terms, if an attacker can inject malicious scripts via XSS, those scripts can execute arbitrary system commands with the privileges of the user running the application, leading to a severe security risk.'}] [1]

Impact Analysis

This vulnerability can have a significant impact because it allows attackers to execute arbitrary code on your machine remotely if they exploit an XSS vulnerability in the Vikunja web frontend.

  • Attackers can run system commands with the same privileges as the user running Vikunja Desktop.
  • This could lead to data theft, installation of malware, or complete compromise of your system.
  • The attack surface is increased because even minor or future XSS vulnerabilities become critical due to the elevated privileges granted by nodeIntegration.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability arises from the Electron BrowserWindow being created with `nodeIntegration: true` and lacking security hardening options such as `contextIsolation` and `sandbox`. Detection involves verifying the configuration of the Vikunja Desktop Electron wrapper.'}, {'type': 'paragraph', 'content': 'To detect if your Vikunja Desktop installation is vulnerable, you can inspect the `desktop/main.js` file for the presence of `nodeIntegration: true` without accompanying security settings.'}, {'type': 'paragraph', 'content': 'There are no specific network commands provided to detect exploitation attempts, but you can look for suspicious execution of OS-level commands initiated by the Electron app, such as unexpected child processes spawned by `child_process.exec`.'}, {'type': 'paragraph', 'content': 'Example commands to check for running Vikunja Desktop processes and inspect their command line or behavior might include:'}, {'type': 'list_item', 'content': 'On Linux/macOS, check for running Vikunja Desktop processes: `ps aux | grep vikunja`'}, {'type': 'list_item', 'content': "Inspect the Electron app's main.js file for insecure settings: `grep -A 10 'BrowserWindow' desktop/main.js`"}, {'type': 'list_item', 'content': 'Monitor for suspicious child processes spawned by the Electron app, e.g., `ps -ef --forest` or using system monitoring tools to detect unexpected commands like `curl` or `bash` executions.'}] [1]

Mitigation Strategies

The primary mitigation is to upgrade Vikunja Desktop to version 2.2.0 or later, where this vulnerability is fixed.

If upgrading is not immediately possible, modify the Electron BrowserWindow creation in `desktop/main.js` to:

  • Set `nodeIntegration` to `false`
  • Enable `contextIsolation` by setting it to `true`
  • Enable `sandbox` by setting it to `true`
  • Set `webviewTag` to `false`
  • Set `navigateOnDragDrop` to `false`

If Node.js functionality is required in the renderer process, it should be exposed safely via a preload script using `contextBridge.exposeInMainWorld()` to minimize risk.

Additionally, review and sanitize any user-generated content or inputs to reduce the risk of XSS vulnerabilities that could be escalated.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33334. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart