Unrated severityNVD Advisory· Published Mar 24, 2026· Updated Mar 24, 2026

Vikunja Desktop: Any frontend XSS escalates to Remote Code Execution due to nodeIntegration

CVE-2026-33334

Description

Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper enables nodeIntegration in the renderer process without contextIsolation or sandbox. This means any cross-site scripting (XSS) vulnerability in the Vikunja web frontend -- present or future -- automatically escalates to full remote code execution on the victim's machine, as injected scripts gain access to Node.js APIs. Version 2.2.0 fixes the issue.

Affected products

Vikunja/Vikunjallm-fuzzy
Range: >=0.21.0 <2.2.0
go-vikunja/vikunjav5
Range: >= 0.21.0, < 2.2.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/go-vikunja/vikunja/security/advisories/GHSA-xh67-63q3-hf7gmitrex_refsource_CONFIRM
vikunja.io/changelog/vikunja-v2.2.0-was-releasedmitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000