CVE-2026-33335

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-33335
Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper passes URLs from `window.open()` calls directly to `shell.openExternal()` without any validation or protocol allowlisting. An attacker who can place a link with `target="_blank"` (or that otherwise triggers `window.open`) in user-generated content can cause the victim's operating system to open arbitrary URI schemes, invoking local applications, opening local files, or triggering custom protocol handlers. Version 2.2.0 patches the issue.

8.0 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/go-vikunja/vikunja/security/advisories/GHSA-6q44-85gc-cjvf Exploit Vendor Advisory
https://vikunja.io/changelog/vikunja-v2.2.0-was-released Release Notes
https://github.com/go-vikunja/vikunja/security/advisories/GHSA-6q44-85gc-cjvf Exploit Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*
History

27 Mar 2026, 16:58

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 8.0
References () https://github.com/go-vikunja/vikunja/security/advisories/GHSA-6q44-85gc-cjvf - () https://github.com/go-vikunja/vikunja/security/advisories/GHSA-6q44-85gc-cjvf - Exploit, Vendor Advisory
References () https://vikunja.io/changelog/vikunja-v2.2.0-was-released - () https://vikunja.io/changelog/vikunja-v2.2.0-was-released - Release Notes
Summary
  • (es) Vikunja es una plataforma de gestión de tareas de código abierto y autoalojada. A partir de la versión 0.21.0 y antes de la versión 2.2.0, el *wrapper* de Electron de Vikunja Desktop pasa las URL de las llamadas a `window.open()` directamente a `shell.openExternal()` sin ninguna validación o lista blanca de *protocolos*. Un *atacante* que puede colocar un enlace con `target="_blank"` (o que de otro modo active `window.open`) en contenido generado por el usuario puede hacer que el *sistema operativo* de la víctima abra esquemas URI arbitrarios, invocando aplicaciones locales, abriendo archivos locales o activando manejadores de *protocolos* personalizados. La versión 2.2.0 corrige el problema.
First Time Vikunja
Vikunja vikunja
CPE cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*

25 Mar 2026, 14:16

Type Values Removed Values Added
References () https://github.com/go-vikunja/vikunja/security/advisories/GHSA-6q44-85gc-cjvf - () https://github.com/go-vikunja/vikunja/security/advisories/GHSA-6q44-85gc-cjvf -

24 Mar 2026, 16:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-24 16:16

Updated : 2026-03-27 16:58

NVD link : CVE-2026-33335

Mitre link : CVE-2026-33335

CVE.ORG link : CVE-2026-33335

JSON object : View

Products Affected

vikunja

  • vikunja
CWE
CWE-939

Improper Authorization in Handler for Custom URL Scheme