CVE-2026-33336

Name of the Vulnerable Software and Affected Versions Vikunja versions 0.21.0 through 2.1.9

Description Vikunja Desktop, an Electron wrapper for the Vikunja task management platform, allows an attacker to execute arbitrary code on a victim's machine. This occurs because nodeIntegration is enabled in the main BrowserWindow without restrictions on same-window navigations. An attacker can craft a link within user-generated content, such as task descriptions or comments, that, when clicked by a victim, causes the BrowserWindow to navigate to an attacker-controlled origin. This allows JavaScript execution with full Node.js access, leading to arbitrary code execution. The issue stems from the combination of nodeIntegration: true and the absence of will-navigate or will-redirect handlers on the webContents. The vulnerability does not require a cross-site scripting (XSS) flaw; a standard, sanitized hyperlink is sufficient for exploitation.

Recommendations Vikunja versions 0.21.0 through 2.1.9 are affected. Update to version 2.2.0 or later to resolve this issue.