Home

Description

Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper passes URLs from `window.open()` calls directly to `shell.openExternal()` without any validation or protocol allowlisting. An attacker who can place a link with `target="_blank"` (or that otherwise triggers `window.open`) in user-generated content can cause the victim's operating system to open arbitrary URI schemes, invoking local applications, opening local files, or triggering custom protocol handlers. Version 2.2.0 patches the issue.

PUBLISHED Reserved 2026-03-18 | Published 2026-03-24 | Updated 2026-03-25 | Assigner GitHub_M




MEDIUM: 6.4CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H

Problem types

CWE-939: Improper Authorization in Handler for Custom URL Scheme

Product status

>= 0.21.0, < 2.2.0
affected

References

github.com/...ikunja/security/advisories/GHSA-6q44-85gc-cjvf exploit

github.com/...ikunja/security/advisories/GHSA-6q44-85gc-cjvf

vikunja.io/changelog/vikunja-v2.2.0-was-released

cve.org (CVE-2026-33335)

nvd.nist.gov (CVE-2026-33335)

Download JSON