CVE-2026-33334
Vikunja Desktop: Any frontend XSS escalates to Remote Code Execution due to nodeIntegration
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper enables `nodeIntegration` in the renderer process without `contextIsolation` or `sandbox`. This means any cross-site scripting (XSS) vulnerability in the Vikunja web frontend -- present or future -- automatically escalates to full remote code execution on the victim's machine, as injected scripts gain access to Node.js APIs. Version 2.2.0 fixes the issue.
| CWE | CWE-94 CWE-269 |
| Vendor | go-vikunja |
| Product | vikunja |
| Published | Mar 24, 2026 |
| Last Updated | Mar 24, 2026 |
Stay Ahead of the Next One
Get instant alerts for go-vikunja vikunja
Be the first to know when new unknown vulnerabilities affecting go-vikunja vikunja are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
go-vikunja / vikunja
>= 0.21.0, < 2.2.0