Skip to main content

Vikunja CVE-2026-33335

| EUVD-2026-14909 MEDIUM
Improper Authorization in Handler for Custom URL Scheme (CWE-939)
2026-03-24 GitHub_M
Information Disclosure Vikunja
6.4
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.4 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
2.2.0
EUVD ID Assigned
Mar 24, 2026 - 15:45 euvd
EUVD-2026-14909
Analysis Generated
Mar 24, 2026 - 15:45 vuln.today
CVE Published
Mar 24, 2026 - 15:07 nvd
MEDIUM 6.4

DescriptionGitHub Advisory

Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper passes URLs from window.open() calls directly to shell.openExternal() without any validation or protocol allowlisting. An attacker who can place a link with target="_blank" (or that otherwise triggers window.open) in user-generated content can cause the victim's operating system to open arbitrary URI schemes, invoking local applications, opening local files, or triggering custom protocol handlers. Version 2.2.0 patches the issue.

AnalysisAI

The Vikunja Desktop Electron application fails to validate or allowlist URI schemes before passing URLs from window.open() calls to shell.openExternal(), allowing attackers to invoke arbitrary local applications, open files, or trigger custom protocol handlers. Vikunja versions 0.21.0 through 2.1.x are affected, with the vulnerability patched in version 2.2.0. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment While a formal CVSS score and EPSS probability are not provided, the risk is substantial based on available signals. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A malicious user embeds a link such as <a href="file:///etc/passwd" target="_blank">Click for details</a> or <a href="ms-settings:appsfeatures" target="_blank">Update</a> in a Vikunja task description or comment. When a victim using Vikunja Desktop (v0.21.0–v2.1.x) clicks the link or the page auto-triggers window.open(), the Electron wrapper passes the URI directly to the OS without validation, causing the victim's file manager to open a sensitive file or a system settings panel to launch. …
Remediation Immediately upgrade the Vikunja Desktop application to version 2.2.0 or later; this is the primary and complete remediation. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 30 days: Identify affected systems running version 0.21.0 and and apply vendor patches as part of regular patch cycle. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-33335 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy