CVE-2026-33334
CRITICALVikunja Desktop: Any frontend XSS escalates to Remote Code Execution due to nodeIntegration
Title source: cnaDescription
Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper enables `nodeIntegration` in the renderer process without `contextIsolation` or `sandbox`. This means any cross-site scripting (XSS) vulnerability in the Vikunja web frontend -- present or future -- automatically escalates to full remote code execution on the victim's machine, as injected scripts gain access to Node.js APIs. Version 2.2.0 fixes the issue.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/go-vikunja/vikunja/security/advisories/GHSA-xh67-63q3-hf7g
X_Refsource_Misc x_refsource_misc
https://vikunja.io/changelog/vikunja-v2.2.0-was-released
Scores
CVSS v3
9.6
EPSS
0.0039
EPSS Percentile
30.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-269
CWE-79
CWE-94
Status
published
Products (2)
go-vikunja/vikunja
>= 0.21.0, < 2.2.0
vikunja/vikunja
0.21.0 - 2.2.2
Published
Mar 24, 2026
Tracked Since
Mar 24, 2026