CVE-2026-33335

EUVD-2026-14909

24.03.2026, 16:16

Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper passes URLs from `window.open()` calls directly to `shell.openExternal()` without any validation or protocol allowlisting. An attacker who can place a link with `target="_blank"` (or that otherwise triggers `window.open`) in user-generated content can cause the victim's operating system to open arbitrary URI schemes, invoking local applications, opening local files, or triggering custom protocol handlers. Version 2.2.0 patches the issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
vikunja	vikunja	0.21.0 ≤ 𝑥 < 2.2.2

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

CWE-939 - Improper Authorization in Handler for Custom URL Scheme
The software uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme.

References

https://github.com/go-vikunja/vikunja/security/advisories/GHSA-6q44-85gc-cjvf

https://vikunja.io/changelog/vikunja-v2.2.0-was-released

https://github.com/go-vikunja/vikunja/security/advisories/GHSA-6q44-85gc-cjvf