CVE-2026-33335

Name of the Vulnerable Software and Affected Versions Vikunja versions 0.21.0 through 2.1.9

Description Vikunja is a self-hosted task management platform. Versions from 0.21.0 up to, but not including, 2.2.0 improperly handle URLs passed from window.open() calls to shell.openExternal() within the Desktop Electron wrapper. Specifically, there is a lack of validation or allowlisting of protocols. This allows an attacker to leverage links with target=" blank" or similar mechanisms within user-generated content to execute arbitrary URI schemes. This could lead to the invocation of local applications, opening of local files, or triggering of custom protocol handlers on the victim’s operating system. The shell.openExternal() function is used to open URLs in the user's default browser or associated application. The window.open() function is used to open a new browser window or tab.

Recommendations Update to Vikunja version 2.2.0 or later.