CVE-2026-33335

HIGH

Vikunja Desktop allows arbitrary local application invocation via unvalidated shell.openExternal

Title source: cna

Description

Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper passes URLs from `window.open()` calls directly to `shell.openExternal()` without any validation or protocol allowlisting. An attacker who can place a link with `target="_blank"` (or that otherwise triggers `window.open`) in user-generated content can cause the victim's operating system to open arbitrary URI schemes, invoking local applications, opening local files, or triggering custom protocol handlers. Version 2.2.0 patches the issue.

References (2)

[X_Refsource_Confirm] https://github.com/go-vikunja/vikunja/security/advisories/GHSA-6q44-85gc-cjvf

[X_Refsource_Misc] https://vikunja.io/changelog/vikunja-v2.2.0-was-released

Scores

CVSS v3 8.0

EPSS 0.0004

EPSS Percentile 11.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-939

Status published

Products (2)

go-vikunja/vikunja >= 0.21.0, < 2.2.0

vikunja/vikunja 0.21.0 - 2.2.2

Published Mar 24, 2026

Tracked Since Mar 24, 2026