Remote Code Execution Vulnerability in Vikunja Task Management Platform
CVE-2026-33334

6.5MEDIUM

Key Information:

Vendor: Go-vikunja
Status: Vikunja
Vendor: CVE Published:; 24 March 2026

What is CVE-2026-33334?

The Vikunja task management platform contains a remote code execution vulnerability due to the misuse of the Electron framework. The nodeIntegration feature is enabled in the renderer process without the protections of contextIsolation or sandbox. This flaw allows attackers to exploit any cross-site scripting (XSS) vulnerabilities in the web frontend, leading to potential full control over the victim’s machine as injected scripts can access Node.js APIs. This issue is addressed in version 2.2.0 of Vikunja.

Affected Version(s)

vikunja >= 0.21.0, < 2.2.0

References

https://github.com/go-vikunja/vikunja/security/advisories...

x_refsource_CONFIRM

https://vikunja.io/changelog/vikunja-v2.2.0-was-released

x_refsource_MISC

CVSS V4

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 24, 2026
Vulnerability Reserved
Mar 18, 2026

CVE-2026-33334 Data

JSON

Go-vikunja

What is CVE-2026-33334?

Affected Version(s)

References

CVSS V4

Timeline