CVE-2026-33334

CVE-2026-33334 affects the Vikunja Desktop Electron wrapper, part of the open-source self-hosted task management platform Vikunja. In versions starting from 0.21.0 and prior to 2.2.0, the wrapper enables nodeIntegration in the renderer process without contextIsolation or sandbox enabled. This configuration allows any cross-site scripting (XSS) vulnerability in the Vikunja web frontend—whether existing or future—to escalate automatically to remote code execution (RCE), as injected scripts can access Node.js APIs. The vulnerability is rated with a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) and is associated with CWE-94 (Code Injection), CWE-269 (Improper Privilege Management), and CWE-79 (XSS).

An attacker can exploit this vulnerability remotely with no required privileges by tricking a user into interacting with a malicious link or content that triggers an XSS payload in the Vikunja web frontend via the Desktop app. User interaction is necessary, such as clicking a link or viewing crafted content, but once triggered, the XSS executes with full access to the victim's machine through Node.js APIs, enabling high confidentiality, integrity, and availability impacts including arbitrary code execution, data theft, or system compromise. The changed scope (S:C) reflects how the exploit bridges web content to native system privileges.

The GitHub security advisory (GHSA-xh67-63q3-hf7g) and Vikunja changelog for version 2.2.0 detail the fix, which resolves the insecure Electron configuration. Security practitioners should upgrade to Vikunja Desktop version 2.2.0 or later and audit for any chained XSS issues in the web frontend.