Open-Source Task Management Platform Vulnerability in Vikunja
CVE-2026-33335

6.4MEDIUM

Key Information:

Vendor: Go-vikunja
Status: Vikunja
Vendor: CVE Published:; 24 March 2026

What is CVE-2026-33335?

The Vikunja Desktop Electron wrapper executes URLs from window.open() calls directly through shell.openExternal() without adequate validation. This oversight allows attackers to embed harmful links in user-generated content. When users interact with these links, their operating systems may inadvertently open malicious URI schemes, executing local applications, accessing local files, or activating custom protocol handlers. This risk is mitigated in version 2.2.0, which introduces necessary validation checks to safeguard users.

Affected Version(s)

vikunja >= 0.21.0, < 2.2.0

References

https://github.com/go-vikunja/vikunja/security/advisories...

x_refsource_CONFIRM

https://vikunja.io/changelog/vikunja-v2.2.0-was-released

x_refsource_MISC

CVSS V4

Score:

6.4

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 24, 2026
Vulnerability Reserved
Mar 18, 2026

CVE-2026-33335 Data

JSON

Go-vikunja

What is CVE-2026-33335?

Affected Version(s)

References

CVSS V4

Timeline