CVE-2026-33334

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-33334

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33334.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-33334

Aliases

GHSA-xh67-63q3-hf7g

Published

2026-03-24T15:02:20.418Z

Modified

2026-04-10T05:42:45.970917Z

Severity

6.5 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H CVSS Calculator

Summary

Vikunja Desktop: Any frontend XSS escalates to Remote Code Execution due to nodeIntegration

Details

Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper enables nodeIntegration in the renderer process without contextIsolation or sandbox. This means any cross-site scripting (XSS) vulnerability in the Vikunja web frontend -- present or future -- automatically escalates to full remote code execution on the victim's machine, as injected scripts gain access to Node.js APIs. Version 2.2.0 fixes the issue.

Database specific

{
    "cwe_ids": [
        "CWE-269",
        "CWE-94"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33334.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/go-vikunja/vikunja

Affected ranges

Type

GIT

Repo

https://github.com/go-vikunja/vikunja

Events

Introduced

e5cd4897d6be52c5bacb39a4ddae322921bfc0ee

Fixed

b365be1881641dd2791d3dff4c26ad941c13cef6

Database specific

{
    "versions": [
        {
            "introduced": "0.21.0"
        },
        {
            "fixed": "2.2.0"
        }
    ]
}

Affected versions

v0.*

v0.21.0

v0.22.0

v0.22.1

v0.23.0

v0.24.1

v1.*

v1.0.0

v1.0.0-rc0

v1.0.0-rc1

v1.0.0-rc2

v1.0.0-rc3

v1.0.0-rc4

v1.1.0

v2.*

v2.0.0

v2.1.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33334.json"