Platform
nodejs
Component
node.js
Fixed in
0.21.1
2.2.3
CVE-2026-33334 describes a critical Cross-Site Scripting (XSS) vulnerability within the Vikunja Desktop Electron wrapper. This flaw, present in versions 0.21.0 through 2.2.2, enables attackers to escalate XSS vulnerabilities in the Vikunja web frontend to full remote code execution on the victim's machine. The vulnerability stems from the lack of context isolation and sandboxing, granting injected scripts access to Node.js APIs. Version 2.2.0 addresses this issue.
The impact of CVE-2026-33334 is severe. An attacker exploiting this vulnerability can execute arbitrary code on the user's machine running the Vikunja Desktop application. This could lead to complete system compromise, including data theft, malware installation, and further lateral movement within the network. Because the vulnerability leverages an XSS payload to gain Node.js access, any existing or future XSS vulnerability in the Vikunja web interface becomes a pathway to remote code execution. This is a significant escalation of risk compared to a standard XSS vulnerability, as it bypasses browser-level security mitigations.
CVE-2026-33334 was publicly disclosed on March 24, 2026. There is currently no indication of active exploitation campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog as of this writing. Public proof-of-concept (POC) code is not yet available, but the vulnerability's nature makes it likely that a POC will be developed given the ease of exploitation once a suitable XSS vector is identified.
Exploit Status
EPSS
0.14% (34% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33334 is to immediately upgrade Vikunja Desktop to version 2.2.0 or later. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider isolating the Vikunja Desktop application within a sandboxed environment to limit the potential impact of successful exploitation. While not a direct mitigation, ensuring the Vikunja web frontend is regularly scanned for and patched against XSS vulnerabilities is crucial to reduce the attack surface. There are no specific WAF rules or detection signatures readily available for this particular vulnerability, as it's a code execution issue triggered by XSS.
Update Vikunja Desktop to version 2.2.0 or higher. This version fixes the vulnerability that allows remote code execution via XSS.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33334 is a critical Cross-Site Scripting (XSS) vulnerability in Vikunja Desktop versions 0.21.0–2.2.2 that allows for remote code execution.
You are affected if you are running Vikunja Desktop versions 0.21.0 through 2.2.2. Upgrade to 2.2.0 or later to resolve the issue.
Upgrade Vikunja Desktop to version 2.2.0 or later. If immediate upgrade is not possible, consider sandboxing the application.
There is currently no indication of active exploitation campaigns, but the vulnerability's nature makes it likely that exploitation will occur.
Refer to the official Vikunja project website and security advisories for the latest information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.