Vikunja ist eine quelloffene, selbstgehostete Plattform für Aufgabenverwaltung. Ab Version 0.21.0 und vor Version 2.2.0 aktiviert der Vikunja Desktop Electron-Wrapper `nodeIntegration` im Renderer-Prozess ohne `contextIsolation` oder `sandbox`. Dies bedeutet, dass jede Cross-Site Scripting (XSS) Schwachstelle in der Vikunja Web-Frontend -- vorhanden oder zukünftig -- automatisch zu vollständiger Remote Code Execution auf der Maschine des Opfers eskaliert, da injizierte Skripte Zugriff auf Node.js APIs erhalten. Version 2.2.0 behebt dies.

The core issue lies in the Vikunja Desktop Electron wrapper's configuration, which enables nodeIntegration without contextIsolation or sandbox. This means any XSS vulnerability present or introduced in the Vikunja web frontend can be directly exploited to gain full remote code execution. An attacker could inject malicious JavaScript code through a vulnerable Vikunja web interface, and this code would then have access to Node.js APIs within the Electron environment. This grants the attacker the ability to read and write files, execute system commands, and potentially compromise the entire system. The blast radius extends to any sensitive data stored locally on the victim's machine, including credentials, configuration files, and personal information.

Users who rely on Vikunja Desktop for task management, particularly those running versions 0.21.0 through 2.2.2, are at significant risk. This includes individuals and organizations using Vikunja for personal or professional task tracking. Shared hosting environments where Vikunja Desktop is installed could expose multiple users to the vulnerability if the application is not properly secured.

• windows / supply-chain: Monitor Vikunja Desktop processes for unusual network activity or unexpected file modifications. Use Windows Defender to scan for suspicious files or registry keys associated with Vikunja.

Get-Process -Name VikunjaDesktop | Select-Object -ExpandProperty Path

• linux / server: Monitor Vikunja Desktop application logs for signs of XSS attempts or unusual Node.js activity. Use lsof to identify open files and network connections associated with the Vikunja Desktop process.

lsof -p $(pidof VikunjaDesktop)

• generic web: If Vikunja is accessible via a web interface, perform regular security scans for XSS vulnerabilities. Review access and error logs for suspicious requests or payloads.

grep -i 'script' /var/log/apache2/access.log

1. 2026-03-24Disclosure

   disclosure

2. 2026-03-24Patch

   patch

1. Reserviert2026-03-18
2. Veröffentlicht2026-03-24
3. Geändert2026-03-27
4. EPSS aktualisiert2026-04-01

The primary mitigation for CVE-2026-33334 is to immediately upgrade Vikunja Desktop Electron to version 2.2.0 or later. This version incorporates the necessary security enhancements to prevent the remote code execution vulnerability. If upgrading is not immediately feasible due to compatibility concerns or system downtime requirements, consider temporarily disabling the Vikunja Desktop Electron application to reduce the attack surface. While a WAF or proxy cannot directly mitigate this vulnerability, ensuring the Vikunja web frontend is hardened against XSS attacks is crucial. Regularly scan the Vikunja web frontend for XSS vulnerabilities and apply appropriate patches.