Vikunja Desktop allows arbitrary local application invocation via unvalidated shell.openExternal

6.4 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H

Description

Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper passes URLs from `window.open()` calls directly to `shell.openExternal()` without any validation or protocol allowlisting. An attacker who can place a link with `target="_blank"` (or that otherwise triggers `window.open`) in user-generated content can cause the victim's operating system to open arbitrary URI schemes, invoking local applications, opening local files, or triggering custom protocol handlers. Version 2.2.0 patches the issue.

Basic Information

ID CVE-2026-33335

Source GitHub_M

Published Mar 24, 2026 at 15:07

Modified Mar 25, 2026 at 13:41

Affected Product

Vendor go-vikunja

Product vikunja

Version >= 0.21.0, < 2.2.0

Affected Versions go-vikunja vikunja >= 0.21.0, < 2.2.0

CWE Classification

CWE-939

References

{
    "lastseen": "",
    "description": "Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper passes URLs from `window.open()` calls directly to `shell.openExternal()` without any validation or protocol allowlisting. An attacker who can place a link with `target=\"_blank\"` (or that otherwise triggers `window.open`) in user-generated content can cause the victim's operating system to open arbitrary URI schemes, invoking local applications, opening local files, or triggering custom protocol handlers. Version 2.2.0 patches the issue.",
    "published": "2026-03-24T15:07:41.460Z",
    "modified": "2026-03-25T13:41:50.096Z",
    "type": "cve",
    "title": "Vikunja Desktop allows arbitrary local application invocation via unvalidated shell.openExternal",
    "source": "GitHub_M",
    "references": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-6q44-85gc-cjvf\nhttps://vikunja.io/changelog/vikunja-v2.2.0-was-released",
    "id": "CVE-2026-33335",
    "bulletinFamily": "",
    "cwe": [
        "CWE-939"
    ],
    "cvelist": null,
    "sourceData": "go-vikunja vikunja >= 0.21.0, < 2.2.0",
    "sourceHref": "",
    "cvss": {
        "score": 6.4,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "vikunja",
    "version": ">= 0.21.0, < 2.2.0",
    "vendor": "go-vikunja",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Vikunja Desktop allows arbitrary local application invocation via unvalidated shell.openExternal_CVE-2026-33335