CVE-2026-33334CRITICAL 9.6EPSS p30.2%

CVE-2026-33334CVE-2026-33334

Description

Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper enables `nodeIntegration` in the renderer process without `contextIsolation` or `sandbox`. This means any cross-site scripting (XSS) vulnerability in the Vikunja web frontend -- present or future -- automatically escalates to full remote code execution on the victim's machine, as injected scripts gain access to Node.js APIs. Version 2.2.0 fixes the issue.

Scoring

CVSS 3.19.6 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS0.39% probability of exploitation · percentile 30.2% · 2026-06-19T12:03:05Z
Published2026-03-24
Last modified2026-03-27

Underlying weaknesses· 3

CWE-94CWE-269CWE-79

References

  1. https://github.com/go-vikunja/vikunja/security/advisories/GHSA-xh67-63q3-hf7g
  2. https://vikunja.io/changelog/vikunja-v2.2.0-was-released

3

TypeTargetConfidenceTier
WeaknessImproper Privilege Managementcwe-2690%live
WeaknessImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')cwe-790%live
WeaknessImproper Control of Generation of Code ('Code Injection')cwe-940%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-33336
CVE
CVE-2026-33335
CVE
CVE-2026-27575
CVE
CVE-2026-33668
CVE
CVE-2026-33316
CVE
CVE-2026-33678
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.