CVE-2026-33334
CRITICAL WAF: High
CVSS 9.6
Published: 2026-03-24
CWE-94 CWE-269 CWE-79
Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper enables `nodeIntegration` in the renderer process without `contextIsolation` or `sandbox`. This means any cross-site scripting (XSS) vulnerability in the Vikunja web frontend -- present or future -- automatically escalates to full remote code execution on the victim's machine, as injected scripts gain access to Node.js APIs. Version 2.2.0 fixes the issue.
WAF Coverage Analysis
Code Injection
Medium WAF Coverage
OWASP: A03:2021 Injection
932xxx - Remote Code Execution 933xxx - PHP Injection 934xxx - Node.js / Generic Injection
Improper Privilege Management
Low WAF Coverage
OWASP: A01:2021 Broken Access Control
Cross-Site Scripting (XSS)
High WAF Coverage
OWASP: A03:2021 Injection
941xxx - XSS / XXE
Affected Software
| Vendor | Product | Version |
|---|---|---|
| vikunja | vikunja | 0.21.0 - 2.2.2 |
References
- github.com (Vendor Advisory)
- vikunja.io (Release Notes)