ByteOS Network

NVD Vulnerability Details :

CVE-2026-33334

Analyzed

Source-security-advisories@github.com

Published At-24 Mar, 2026 | 16:16

Updated At-27 Mar, 2026 | 16:21

Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper enables `nodeIntegration` in the renderer process without `contextIsolation` or `sandbox`. This means any cross-site scripting (XSS) vulnerability in the Vikunja web frontend -- present or future -- automatically escalates to full remote code execution on the victim's machine, as injected scripts gain access to Node.js APIs. Version 2.2.0 fixes the issue.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	4.0	6.5	MEDIUM	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary	3.1	9.6	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Type: Secondary

Version: 4.0

Base score: 6.5

Base severity: MEDIUM

Vector:

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Type: Primary

Version: 3.1

Base score: 9.6

Base severity: CRITICAL

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CPE Matches

vikunja>>vikunja>>Versions from 0.21.0(inclusive) to 2.2.2(exclusive)

cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-94	Primary	security-advisories@github.com
CWE-269	Primary	security-advisories@github.com
CWE-79	Primary	nvd@nist.gov

CWE ID: CWE-94

Type: Primary

Source: security-advisories@github.com

CWE ID: CWE-269

Type: Primary

Source: security-advisories@github.com

CWE ID: CWE-79

Type: Primary

Source: nvd@nist.gov

References

Hyperlink	Source	Resource
https://github.com/go-vikunja/vikunja/security/advisories/GHSA-xh67-63q3-hf7g	security-advisories@github.com	Vendor Advisory
https://vikunja.io/changelog/vikunja-v2.2.0-was-released	security-advisories@github.com	Release Notes

Hyperlink: https://github.com/go-vikunja/vikunja/security/advisories/GHSA-xh67-63q3-hf7g

Source: security-advisories@github.com

Resource:

Vendor Advisory

Hyperlink: https://vikunja.io/changelog/vikunja-v2.2.0-was-released

Source: security-advisories@github.com

Resource:

Release Notes

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History