Description
Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper enables `nodeIntegration` in the renderer process without `contextIsolation` or `sandbox`. This means any cross-site scripting (XSS) vulnerability in the Vikunja web frontend -- present or future -- automatically escalates to full remote code execution on the victim's machine, as injected scripts gain access to Node.js APIs. Version 2.2.0 fixes the issue.
Published: 2026-03-24
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via Escalated XSS
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in the Vikunja Desktop Electron wrapper, which enables nodeIntegration in the renderer process without the protections of contextIsolation or a sandbox. As a result, any cross‑site scripting flaw present in the web frontend—whether discovered now or introduced later—gains direct access to Node.js APIs. The attacker can therefore run arbitrary code on the victim’s machine, achieving full compromise of confidentiality, integrity, and availability of that system.

Affected Systems

The affected vendor is go‑vikunja and the product is Vikunja Desktop. All releases from version 0.21.0 up to, but not including, 2.2.0 are vulnerable. The 2.2.0 release and newer have the issue resolved.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity, and the EPSS score of less than 1% suggests low predicted exploitation prevalence. The vulnerability is not listed in CISA's KEV catalog. Exploitation requires an XSS vector in the Vikunja web interface; once an attacker injects malicious script, the Electron wrapper’s nodeIntegration lifts the boundary, allowing the script to invoke Node APIs and execute arbitrary code. No additional prerequisites are needed beyond the ability to induce XSS in a user’s browser session.

Generated by OpenCVE AI on March 27, 2026 at 17:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the newest Vikunja Desktop update (v2.2.0 or later).
  • If an upgrade is not immediately possible, consider disabling nodeIntegration or enabling contextIsolation and sandbox in the Electron configuration until a patch is available.

Generated by OpenCVE AI on March 27, 2026 at 17:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Vikunja
Vikunja vikunja
Weaknesses CWE-79
CPEs cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*
Vendors & Products Vikunja
Vikunja vikunja
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Go-vikunja
Go-vikunja vikunja
Vendors & Products Go-vikunja
Go-vikunja vikunja

Tue, 24 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Description Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper enables `nodeIntegration` in the renderer process without `contextIsolation` or `sandbox`. This means any cross-site scripting (XSS) vulnerability in the Vikunja web frontend -- present or future -- automatically escalates to full remote code execution on the victim's machine, as injected scripts gain access to Node.js APIs. Version 2.2.0 fixes the issue.
Title Vikunja Desktop: Any frontend XSS escalates to Remote Code Execution due to nodeIntegration
Weaknesses CWE-269
CWE-94
References
Metrics cvssV4_0

{'score': 6.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

Go-vikunja Vikunja
Vikunja Vikunja
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T18:24:31.238Z

Reserved: 2026-03-18T22:15:11.812Z

Link: CVE-2026-33334

cve-icon Vulnrichment

Updated: 2026-03-24T18:24:27.263Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T16:16:33.077

Modified: 2026-03-27T16:21:09.603

Link: CVE-2026-33334

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:26:45Z

Weaknesses