MEDIUM🇵🇱 Wersja polska

CVE-2026-33335

CVSS 6.4v4.0pub. 2026-03-24upd. 2026-03-27

Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper passes URLs from `window.open()` calls directly to `shell.openExternal()` without any validation or protocol allowlisting. An attacker who can place a link with `target="_blank"` (or that otherwise triggers `window.open`) in user-generated content can cause the victim's operating system to open arbitrary URI schemes, invoking local applications, opening local files, or triggering custom protocol handlers. Version 2.2.0 patches the issue.

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Vikunja

    APP
    Vikunja
    0.21.0 – 2.2.2 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-28268CRITICAL9.8PL ✓ten sam produkt

Vikunja: wielokrotne użycie tokenu resetowania hasła — przejęcie konta

CVE-2026-27575CRITICAL9.1PL ✓ten sam produkt

Vikunja: słabe hasła i brak unieważniania sesji po zmianie hasła

CVE-2026-35595HIGH8.3ten sam produkt

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CanUpdate check at pkg/mod...

CVE-2026-34727HIGH7.4ten sam produkt

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the OIDC callback handler issu...

CVE-2026-33316HIGH8.1ten sam produkt

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, a flaw in Vikunja’s pa...