Description
Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper passes URLs from `window.open()` calls directly to `shell.openExternal()` without any validation or protocol allowlisting. An attacker who can place a link with `target="_blank"` (or that otherwise triggers `window.open`) in user-generated content can cause the victim's operating system to open arbitrary URI schemes, invoking local applications, opening local files, or triggering custom protocol handlers. Version 2.2.0 patches the issue.
Published: 2026-03-24
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Local Application Invocation
Action: Apply Patch
AI Analysis

Impact

Vikunja Desktop’s Electron wrapper forwards URLs from window.open() calls directly to shell.openExternal() without validating or restricting the protocols. An attacker who can insert a link—such as one with target="_blank"—into user‑generated content can cause the victim’s operating system to open any URI scheme. The OS then launches the associated application, opens a local file, or triggers a custom protocol handler, effectively giving the attacker the ability to invoke local applications or access local resources.

Affected Systems

The vulnerability is present in Vikunja Desktop releases starting with version 0.21.0 and continues through all builds prior to version 2.2.0. Users running any earlier Vikunja Desktop client are exposed. The product is an open‑source, self‑hosted task‑management platform distributed by the Vikunja organization.

Risk and Exploitability

The overall severity rating of the defect is moderate with a score of 6.4. Estimated exploitation probability is less than 1%, and the vulnerability is not listed in the Known Exploited Vulnerabilities catalog. Exploitation requires malicious user‑generated content containing an actionable link and front‑end interaction by the victim, indicating a client‑side, socially engineered attack vector.

Generated by OpenCVE AI on April 15, 2026 at 08:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vikunja Desktop to version 2.2.0 or later, which adds validation to shell.openExternal() calls.
  • Limit who can create or edit user‑generated content that may contain links; restrict editing privileges to trusted users to reduce the attack surface.
  • If an upgrade is not immediately possible, consider disabling or removing the shell.openExternal() feature in the client, or applying a local patch that rejects non‑HTTPS URI schemes when invoked from user content.

Generated by OpenCVE AI on April 15, 2026 at 08:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Vikunja
Vikunja vikunja
CPEs cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*
Vendors & Products Vikunja
Vikunja vikunja
Metrics cvssV3_1

{'score': 8.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}

Wed, 25 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Go-vikunja
Go-vikunja vikunja
Vendors & Products Go-vikunja
Go-vikunja vikunja

Tue, 24 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Description Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper passes URLs from `window.open()` calls directly to `shell.openExternal()` without any validation or protocol allowlisting. An attacker who can place a link with `target="_blank"` (or that otherwise triggers `window.open`) in user-generated content can cause the victim's operating system to open arbitrary URI schemes, invoking local applications, opening local files, or triggering custom protocol handlers. Version 2.2.0 patches the issue.
Title Vikunja Desktop allows arbitrary local application invocation via unvalidated shell.openExternal
Weaknesses CWE-939
References
Metrics cvssV4_0

{'score': 6.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

Go-vikunja Vikunja
Vikunja Vikunja
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T13:41:50.096Z

Reserved: 2026-03-18T22:15:11.812Z

Link: CVE-2026-33335

cve-icon Vulnrichment

Updated: 2026-03-25T13:41:40.308Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T16:16:33.227

Modified: 2026-03-27T16:58:07.513

Link: CVE-2026-33335

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:45:09Z

Weaknesses