Remote Code Execution Flaw in Vikunja Task Management Platform
CVE-2026-33336

6.5MEDIUM

Key Information:

Vendor: Go-vikunja
Status: Vikunja
Vendor: CVE Published:; 24 March 2026

What is CVE-2026-33336?

Vikunja, an open-source self-hosted task management tool, has a vulnerability that allows attackers to exploit a misconfiguration in the Desktop Electron wrapper. The nodeIntegration setting, when enabled, grants full access to Node.js APIs within the browser context. Without proper navigation handlers, attackers can craft user-generated content containing malicious links. When a victim interacts with this content, the application navigates to the attacker-controlled site, leading to arbitrary code execution on the victim's system. Vikunja version 2.2.0 addresses this serious security flaw.

Affected Version(s)

vikunja >= 0.21.0, < 2.2.0

References

https://github.com/go-vikunja/vikunja/security/advisories...

x_refsource_CONFIRM

https://vikunja.io/changelog/vikunja-v2.2.0-was-released

x_refsource_MISC

CVSS V4

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 24, 2026
Vulnerability Reserved
Mar 18, 2026

CVE-2026-33336 Data

JSON

Go-vikunja

What is CVE-2026-33336?

Affected Version(s)

References

CVSS V4

Timeline