← Back to CVEs
CVE-2026-33335
HIGH8.0
Description
Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper passes URLs from `window.open()` calls directly to `shell.openExternal()` without any validation or protocol allowlisting. An attacker who can place a link with `target="_blank"` (or that otherwise triggers `window.open`) in user-generated content can cause the victim's operating system to open arbitrary URI schemes, invoking local applications, opening local files, or triggering custom protocol handlers. Version 2.2.0 patches the issue.
CVE Details
CVSS v3.1 Score8.0
SeverityHIGH
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredLOW
User InteractionREQUIRED
Published3/24/2026
Last Modified3/27/2026
Sourcenvd
Honeypot Sightings0
Affected Products
vikunja:vikunja
Weaknesses (CWE)
CWE-939
References
https://github.com/go-vikunja/vikunja/security/advisories/GHSA-6q44-85gc-cjvf(security-advisories@github.com)
https://vikunja.io/changelog/vikunja-v2.2.0-was-released(security-advisories@github.com)
https://github.com/go-vikunja/vikunja/security/advisories/GHSA-6q44-85gc-cjvf(134c704f-9b21-4f2e-91b3-4a467353bcc0)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.