CVE-2026-33335
Unvalidated URL Handling in Vikunja Desktop Enables Arbitrary URI Execution
Publication date: 2026-03-24
Last updated on: 2026-03-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vikunja | vikunja | From 0.21.0 (inc) to 2.2.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-939 | The product uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-33335 is a high-severity vulnerability in Vikunja Desktop, an Electron-based task management application. The issue occurs because the application directly passes URLs from window.open() calls to shell.openExternal() without validating or restricting the URL schemes.'}, {'type': 'paragraph', 'content': "This means that if an attacker can insert a link that triggers window.open() in user-generated content, the victim's operating system may open arbitrary URI schemes. These can include dangerous schemes like file:, javascript:, data:, or custom protocols, which can invoke local applications, open local files, or trigger custom protocol handlers."}, {'type': 'paragraph', 'content': 'For example, an attacker who is a collaborator on the same Vikunja instance can place a malicious link in a task description or comment. When the victim clicks this link, it could launch applications like the Windows command prompt, open sensitive files in editors, invoke SSH clients, or exploit known protocol handlers.'}, {'type': 'paragraph', 'content': 'The vulnerability arises because there is no allowlist limiting URLs to safe protocols such as http:, https:, or mailto:, nor is there a user confirmation dialog before opening the external link. Version 2.2.0 of Vikunja patches this issue by adding validation and allowlisting.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability can have several impacts depending on the victim's platform and installed applications."}, {'type': 'list_item', 'content': "Arbitrary local application invocation: An attacker can cause the victim's system to launch local applications such as command prompts or editors."}, {'type': 'list_item', 'content': "Opening of local files: Malicious links can open sensitive files on the victim's machine."}, {'type': 'list_item', 'content': "Potential command execution: Exploiting vulnerable protocol handlers may lead to executing commands on the victim's system."}, {'type': 'list_item', 'content': 'Information disclosure: For example, mailto: links with pre-filled content could leak information.'}, {'type': 'paragraph', 'content': 'The attack requires only low-privilege access (being a collaborator) and a single click by the victim, making it relatively easy to exploit.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the Vikunja Desktop Electron wrapper passing URLs from window.open() calls directly to shell.openExternal() without validation or protocol allowlisting.
Detection involves identifying if the Vikunja Desktop version in use is between 0.21.0 and prior to 2.2.0, as these versions are vulnerable.
Since the vulnerability is triggered by user-generated content containing links that invoke window.open(), monitoring or scanning task descriptions or comments for suspicious URL schemes such as file:, javascript:, data:, or custom protocols can help detect potential exploitation attempts.
There are no specific commands provided in the resources to detect this vulnerability on a network or system.
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate mitigation is to upgrade Vikunja Desktop to version 2.2.0 or later, where the issue is patched.
If upgrading is not immediately possible, implement validation and allowlisting of URL schemes before passing them to shell.openExternal(), permitting only safe schemes such as http:, https:, and optionally mailto:.
Additionally, implement a user confirmation dialog that displays the full URL before opening it externally to prevent automatic invocation of potentially malicious links.
Restrict user permissions to limit who can add links in user-generated content, reducing the risk of an attacker inserting malicious URLs.