प्लेटफ़ॉर्म
nodejs
घटक
node.js
में ठीक किया गया
0.21.1
2.2.3
CVE-2026-33336 is a critical remote code execution (RCE) vulnerability affecting Vikunja, an open-source self-hosted task management platform. This flaw arises from improper configuration of the Vikunja Desktop Electron wrapper, specifically the unrestricted enablement of nodeIntegration and same-window navigations. Attackers can exploit this by embedding malicious links within user-generated content, leading to arbitrary code execution on the victim's machine. The vulnerability impacts Vikunja versions 0.21.0 through 2.2.2, and a fix is available in version 2.2.0.
The impact of CVE-2026-33336 is severe. An attacker can craft a malicious link within a task description, comment, or project description within Vikunja. When a user clicks this link within the Vikunja Desktop Electron application, the BrowserWindow navigates to an attacker-controlled origin. Because nodeIntegration is enabled without restrictions, JavaScript executed on this attacker-controlled origin gains full Node.js access to the victim's machine. This allows the attacker to execute arbitrary code, potentially leading to complete system compromise, data theft, or further malicious actions. The blast radius extends to any user of the Vikunja Desktop Electron application who interacts with user-generated content containing the malicious link.
CVE-2026-33336 was published on 2026-03-24. There is currently no indication of active exploitation in the wild, nor is it listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not yet available, but the vulnerability's nature suggests that a PoC is likely to be developed given the ease of exploitation once a malicious link is crafted. The vulnerability’s reliance on user interaction makes it less likely to be exploited at scale compared to vulnerabilities that can be exploited remotely without user action.
Self-hosted Vikunja deployments are particularly at risk, especially those utilizing the Desktop Electron application. Users who rely on Vikunja for sensitive task management and data storage are also at increased risk. Shared hosting environments where multiple Vikunja instances reside on the same server could potentially expose multiple users to the vulnerability if one instance is compromised.
• linux / server: Monitor Vikunja logs for attempts to navigate to unusual or attacker-controlled domains. Use journalctl -f -u vikunja to observe real-time log activity.
grep -i 'attacker.com' /var/log/vikunja/vikunja.log• generic web: Inspect Vikunja's access and error logs for unusual requests or errors related to navigation or JavaScript execution.
grep -i 'nodeIntegration' /var/log/nginx/access.log• windows / supply-chain: Monitor running Node.js processes associated with Vikunja for unexpected behavior or connections. Use PowerShell to list running processes and their arguments.
Get-Process | Where-Object {$_.ProcessName -like '*vikunja*'} | Select-Object Name, Path, Argumentsdisclosure
एक्सप्लॉइट स्थिति
EPSS
0.27% (50% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2026-33336 is to upgrade Vikunja to version 2.2.0 or later, which addresses the vulnerability by restricting same-window navigations and properly configuring nodeIntegration. If upgrading immediately is not feasible, consider implementing a temporary workaround by sanitizing all user-generated content within Vikunja to prevent the inclusion of potentially malicious links. While not a complete solution, this can reduce the attack surface. Monitor Vikunja logs for suspicious activity, particularly any attempts to navigate to unexpected origins. There are no specific Sigma or YARA rules readily available for this vulnerability, but generic Node.js process monitoring can help detect anomalous behavior.
Actualice Vikunja Desktop a la versión 2.2.0 o superior. Esta versión corrige la vulnerabilidad que permite la ejecución remota de código. Descargue la última versión desde el sitio web oficial de Vikunja.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-33336 is a remote code execution vulnerability in Vikunja versions 0.21.0–2.2.2. It allows attackers to execute arbitrary code on a user's machine through crafted links in task descriptions.
If you are using Vikunja versions 0.21.0 through 2.2.2 and utilize the Desktop Electron application, you are potentially affected by this vulnerability.
Upgrade Vikunja to version 2.2.0 or later to resolve the vulnerability. As a temporary workaround, sanitize user-generated content to prevent malicious links.
There is currently no evidence of active exploitation in the wild, but the vulnerability's ease of exploitation suggests it may be targeted in the future.
Refer to the official Vikunja security advisory for detailed information and updates: [https://vikunja.io/security/](https://vikunja.io/security/)
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।