{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33335", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-18T22:15:11.812Z", "datePublished": "2026-03-24T15:07:41.460Z", "dateUpdated": "2026-03-25T13:41:50.096Z"}, "containers": {"cna": {"title": "Vikunja Desktop allows arbitrary local application invocation via unvalidated shell.openExternal", "problemTypes": [{"descriptions": [{"cweId": "CWE-939", "lang": "en", "description": "CWE-939: Improper Authorization in Handler for Custom URL Scheme", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-6q44-85gc-cjvf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-6q44-85gc-cjvf"}, {"name": "https://vikunja.io/changelog/vikunja-v2.2.0-was-released", "tags": ["x_refsource_MISC"], "url": "https://vikunja.io/changelog/vikunja-v2.2.0-was-released"}], "affected": [{"vendor": "go-vikunja", "product": "vikunja", "versions": [{"version": ">= 0.21.0, < 2.2.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T15:07:41.460Z"}, "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper passes URLs from `window.open()` calls directly to `shell.openExternal()` without any validation or protocol allowlisting. An attacker who can place a link with `target=\"_blank\"` (or that otherwise triggers `window.open`) in user-generated content can cause the victim's operating system to open arbitrary URI schemes, invoking local applications, opening local files, or triggering custom protocol handlers. Version 2.2.0 patches the issue."}], "source": {"advisory": "GHSA-6q44-85gc-cjvf", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-6q44-85gc-cjvf", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T13:41:45.712476Z", "id": "CVE-2026-33335", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:41:50.096Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33335", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-18T22:15:11.812Z", "datePublished": "2026-03-24T15:07:41.460Z", "dateUpdated": "2026-03-25T13:41:50.096Z"}, "containers": {"cna": {"title": "Vikunja Desktop allows arbitrary local application invocation via unvalidated shell.openExternal", "problemTypes": [{"descriptions": [{"cweId": "CWE-939", "lang": "en", "description": "CWE-939: Improper Authorization in Handler for Custom URL Scheme", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-6q44-85gc-cjvf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-6q44-85gc-cjvf"}, {"name": "https://vikunja.io/changelog/vikunja-v2.2.0-was-released", "tags": ["x_refsource_MISC"], "url": "https://vikunja.io/changelog/vikunja-v2.2.0-was-released"}], "affected": [{"vendor": "go-vikunja", "product": "vikunja", "versions": [{"version": ">= 0.21.0, < 2.2.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T15:07:41.460Z"}, "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper passes URLs from `window.open()` calls directly to `shell.openExternal()` without any validation or protocol allowlisting. An attacker who can place a link with `target=\"_blank\"` (or that otherwise triggers `window.open`) in user-generated content can cause the victim's operating system to open arbitrary URI schemes, invoking local applications, opening local files, or triggering custom protocol handlers. Version 2.2.0 patches the issue."}], "source": {"advisory": "GHSA-6q44-85gc-cjvf", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33335", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T13:41:45.712476Z"}}}], "references": [{"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-6q44-85gc-cjvf", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:41:40.308Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*", "matchCriteriaId": "AE5EF0A7-C1CA-45D6-9422-16F867671DFF", "versionEndExcluding": "2.2.2", "versionStartIncluding": "0.21.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper passes URLs from `window.open()` calls directly to `shell.openExternal()` without any validation or protocol allowlisting. An attacker who can place a link with `target=\"_blank\"` (or that otherwise triggers `window.open`) in user-generated content can cause the victim's operating system to open arbitrary URI schemes, invoking local applications, opening local files, or triggering custom protocol handlers. Version 2.2.0 patches the issue."}, {"lang": "es", "value": "Vikunja es una plataforma de gesti\u00f3n de tareas de c\u00f3digo abierto y autoalojada. A partir de la versi\u00f3n 0.21.0 y antes de la versi\u00f3n 2.2.0, el *wrapper* de Electron de Vikunja Desktop pasa las URL de las llamadas a `window.open()` directamente a `shell.openExternal()` sin ninguna validaci\u00f3n o lista blanca de *protocolos*. Un *atacante* que puede colocar un enlace con `target=\"_blank\"` (o que de otro modo active `window.open`) en contenido generado por el usuario puede hacer que el *sistema operativo* de la v\u00edctima abra esquemas URI arbitrarios, invocando aplicaciones locales, abriendo archivos locales o activando manejadores de *protocolos* personalizados. La versi\u00f3n 2.2.0 corrige el problema."}], "id": "CVE-2026-33335", "lastModified": "2026-03-27T16:58:07.513", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-24T16:16:33.227", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-6q44-85gc-cjvf"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://vikunja.io/changelog/vikunja-v2.2.0-was-released"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-6q44-85gc-cjvf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-939"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.21.0,2.2.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "vikunja", "source": "cna", "vendor": "go-vikunja"}, "product": "vikunja", "vendor": "go-vikunja"}], "analysis": {"en": {"generated_at": "2026-04-15T08:36:25.560175+00:00", "value": {"mitigation_remediation": ["Upgrade Vikunja Desktop to version 2.2.0 or later, which adds validation to shell.openExternal() calls.", "Limit who can create or edit user\u2011generated content that may contain links; restrict editing privileges to trusted users to reduce the attack surface.", "If an upgrade is not immediately possible, consider disabling or removing the shell.openExternal() feature in the client, or applying a local patch that rejects non\u2011HTTPS URI schemes when invoked from user content."], "summary": {"action": "Apply Patch", "impact": "Arbitrary Local Application Invocation"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in Vikunja Desktop releases starting with version 0.21.0 and continues through all builds prior to version 2.2.0. Users running any earlier Vikunja Desktop client are exposed. The product is an open\u2011source, self\u2011hosted task\u2011management platform distributed by the Vikunja organization.", "description_and_impact": "Vikunja Desktop\u2019s Electron wrapper forwards URLs from window.open() calls directly to shell.openExternal() without validating or restricting the protocols. An attacker who can insert a link\u2014such as one with target=\"_blank\"\u2014into user\u2011generated content can cause the victim\u2019s operating system to open any URI scheme. The OS then launches the associated application, opens a local file, or triggers a custom protocol handler, effectively giving the attacker the ability to invoke local applications or access local resources.", "risk_and_exploitability": "The overall severity rating of the defect is moderate with a score of 6.4. Estimated exploitation probability is less than 1%, and the vulnerability is not listed in the Known Exploited Vulnerabilities catalog. Exploitation requires malicious user\u2011generated content containing an actionable link and front\u2011end interaction by the victim, indicating a client\u2011side, socially engineered attack vector."}}}}, "created": "2026-03-25T11:47:16.698937+00:00", "updated": "2026-04-15T16:45:09.806501+00:00", "vendors": ["go-vikunja", "go-vikunja$PRODUCT$vikunja"]}