VYPR
Unrated severityNVD Advisory· Published Mar 24, 2026· Updated Mar 24, 2026

Vikunja Desktop: Any frontend XSS escalates to Remote Code Execution due to nodeIntegration

CVE-2026-33334

Description

Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper enables nodeIntegration in the renderer process without contextIsolation or sandbox. This means any cross-site scripting (XSS) vulnerability in the Vikunja web frontend -- present or future -- automatically escalates to full remote code execution on the victim's machine, as injected scripts gain access to Node.js APIs. Version 2.2.0 fixes the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Vikunja/Vikunjallm-fuzzy
    Range: >=0.21.0 <2.2.0
  • go-vikunja/vikunjav5
    Range: >= 0.21.0, < 2.2.0

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.