CVE-2026-33335
Published: 24 March 2026
Summary
CVE-2026-33335 is a high-severity Improper Authorization in Handler for Custom URL Scheme (CWE-939) vulnerability in Vikunja Vikunja. Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 13.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of information inputs such as URLs from window.open() calls before passing to shell.openExternal(), directly preventing arbitrary URI scheme execution.
Mandates identification, reporting, and timely patching of flaws like the unvalidated URL handling in Vikunja Desktop versions prior to 2.2.0.
Enforces secure configuration settings for the Electron wrapper, including protocol restrictions or validation mechanisms to mitigate unsafe shell.openExternal usage.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The client-side Electron vulnerability allows direct exploitation of improper URL handling (window.open to shell.openExternal without validation) to invoke arbitrary URI schemes, local files, or protocol handlers, resulting in code execution on the victim desktop.
NVD Description
Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper passes URLs from `window.open()` calls directly to `shell.openExternal()` without any validation or protocol allowlisting. An attacker who can…
more
place a link with `target="_blank"` (or that otherwise triggers `window.open`) in user-generated content can cause the victim's operating system to open arbitrary URI schemes, invoking local applications, opening local files, or triggering custom protocol handlers. Version 2.2.0 patches the issue.
Deeper analysisAI
CVE-2026-33335 affects the Vikunja Desktop Electron wrapper, an open-source self-hosted task management platform. The vulnerability exists in versions starting from 0.21.0 and prior to 2.2.0, where URLs from `window.open()` calls are passed directly to `shell.openExternal()` without validation or protocol allowlisting. This flaw, classified under CWE-939 (Improper Authorization in Handler for Custom URL Scheme), has a CVSS v3.1 base score of 8.0 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).
An attacker with low privileges (PR:L), such as an authenticated user able to inject content into Vikunja, can exploit this by placing malicious links with `target="_blank"` or other triggers for `window.open()` in user-generated content. When a victim interacts with the link (UI:R), it causes the victim's operating system to open arbitrary URI schemes. This enables invoking local applications, opening local files, or triggering custom protocol handlers, potentially leading to high confidentiality, integrity, and availability impacts.
The GitHub security advisory (GHSA-6q44-85gc-cjvf) and Vikunja changelog for version 2.2.0 detail the patch, which resolves the issue by addressing the lack of validation in the Electron wrapper. Security practitioners should advise upgrading to version 2.2.0 or later to mitigate the vulnerability.
Details
- CWE(s)