PT-2026-27442 · Vikunja+2 · Vikunja+2

Highkolaente

·

Publicado

2026-03-24

·

Atualizado

2026-03-24

·

CVE-2026-33334

CVSS v3.1

9.6

Crítica

VetorAV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Vikunja versions 0.21.0 through 2.1.9
Description Vikunja is a self-hosted task management platform. Versions 0.21.0 through 2.1.9 of the Vikunja Desktop Electron wrapper enable nodeIntegration in the renderer process without contextIsolation or sandbox. This configuration allows any cross-site scripting (XSS) vulnerability in the Vikunja web frontend to potentially lead to full remote code execution on a victim’s machine, as injected scripts gain access to Node.js APIs.
Recommendations Update to version 2.2.0 or later.

Exploit

Correção

Improper Privilege Management

Code Injection

XSS

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-269CWE-94CWE-79

Identificadores relacionados

CVE-2026-33334
GHSA-XH67-63Q3-HF7G

Produtos afetados

Electron
Vikunja
Vikunja Desktop