CVE-2026-33335 in vikunja
Summary
by MITRE • 03/24/2026
Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper passes URLs from `window.open()` calls directly to `shell.openExternal()` without any validation or protocol allowlisting. An attacker who can place a link with `target="_blank"` (or that otherwise triggers `window.open`) in user-generated content can cause the victim's operating system to open arbitrary URI schemes, invoking local applications, opening local files, or triggering custom protocol handlers. Version 2.2.0 patches the issue.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/28/2026
The vulnerability identified as CVE-2026-33335 affects Vikunja, an open-source self-hosted task management platform that provides both web and desktop applications through an Electron-based wrapper. This issue exists in versions 0.21.0 through 2.1.9, where the desktop application fails to properly validate URLs passed through browser window.open() calls, creating a significant security risk for users who interact with potentially malicious content. The vulnerability stems from the desktop wrapper's direct pass-through of URLs to the shell.openExternal() function without any protocol validation or allowlisting mechanisms, which represents a clear violation of secure coding practices and exposes users to various attack vectors.
The technical flaw manifests when user-generated content contains HTML elements with target="_blank" attributes or other mechanisms that trigger window.open() calls. When these links are clicked within the Vikunja desktop application, the application processes the URL directly without validation, allowing attackers to craft malicious links that exploit the underlying operating system's protocol handler registration. This vulnerability specifically enables arbitrary URI scheme execution, meaning that attackers can potentially invoke local applications, open local files, or trigger custom protocol handlers installed on the victim's system. The impact extends beyond simple web navigation to potentially allow privilege escalation attacks, file system access, or even code execution depending on the applications registered to handle specific protocols.
The operational impact of this vulnerability is substantial for organizations and individual users who rely on Vikunja for task management and collaboration. Attackers could exploit this weakness to deliver phishing payloads, execute malicious software through custom protocol handlers, or gain unauthorized access to local file systems through the desktop application's elevated privileges. The vulnerability particularly affects users who frequently interact with untrusted content or collaborate in environments where malicious actors might inject harmful links into shared documents or task descriptions. This issue aligns with CWE-732, which addresses inadequate protection of resources, and represents a classic case of insufficient input validation that allows for arbitrary code execution through protocol handler invocation.
Organizations using Vikunja desktop applications should immediately implement mitigations including updating to version 2.2.0 or later, which properly addresses the vulnerability through URL validation and protocol allowlisting. Security teams should also consider implementing network-level controls to block access to potentially malicious domains and monitor for unusual protocol handler usage patterns. The fix implemented in version 2.2.0 demonstrates proper secure coding practices by introducing validation mechanisms that prevent arbitrary URI scheme execution while maintaining functionality for legitimate web navigation. Additionally, administrators should review and restrict custom protocol handler registrations on systems where Vikunja is deployed, following ATT&CK framework techniques related to privilege escalation and defense evasion through protocol handlers. Users should be educated about the risks of clicking untrusted links and the importance of keeping their Vikunja desktop applications updated to prevent exploitation of this vulnerability.