CVE-2026-33335
Vikunja Desktop allows arbitrary local application invocation via unvalidated shell.openExternal
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
11th
Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper passes URLs from `window.open()` calls directly to `shell.openExternal()` without any validation or protocol allowlisting. An attacker who can place a link with `target="_blank"` (or that otherwise triggers `window.open`) in user-generated content can cause the victim's operating system to open arbitrary URI schemes, invoking local applications, opening local files, or triggering custom protocol handlers. Version 2.2.0 patches the issue.
| CWE | CWE-939 |
| Vendor | go-vikunja |
| Product | vikunja |
| Published | Mar 24, 2026 |
| Last Updated | Mar 25, 2026 |
Stay Ahead of the Next One
Get instant alerts for go-vikunja vikunja
Be the first to know when new unknown vulnerabilities affecting go-vikunja vikunja are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
go-vikunja / vikunja
>= 0.21.0, < 2.2.0