The vulnerability CVE-2026-33335 affects the Vikunja Desktop application, an Electron-based wrapper for the Vikunja open-source task management platform. In versions from 0.21.0 up to 2.2.0, the application improperly handles URLs opened via window.open() calls by passing them directly to Electron's shell.openExternal() API without any validation or protocol allowlisting. This means that if an attacker can inject or place a link with target="_blank" or otherwise trigger window.open() in user-generated content, the victim's operating system will be instructed to open the URL using the default handler for that URI scheme. Because no restrictions exist, this can lead to arbitrary URI schemes being invoked, including custom protocols that launch local applications, open local files, or perform other actions outside the browser sandbox. This is classified under CWE-939 (Improper Authorization in Handler for Custom URL Scheme). The vulnerability does not require authentication but does require user interaction (clicking or triggering the link). The CVSS 4.0 score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, but user interaction needed, and high scope impact due to potential local system effects. The issue was addressed in Vikunja Desktop version 2.2.0 by implementing validation and protocol allowlisting before passing URLs to shell.openExternal(). No public exploits have been reported yet, but the vulnerability poses a risk especially in environments where untrusted users can submit content containing links.

This vulnerability can lead to significant security risks for organizations using affected versions of Vikunja Desktop. An attacker able to inject malicious links into user-generated content can cause victims to unknowingly trigger arbitrary URI schemes, potentially launching local applications or opening sensitive files. This can be leveraged for local privilege escalation, data exfiltration, or execution of unintended commands on the victim’s machine. The impact is primarily on the confidentiality and integrity of the victim system, with possible availability implications if destructive local applications are invoked. Since Vikunja is used for task management, compromise could also lead to exposure or manipulation of sensitive organizational data. The risk is heightened in environments where multiple users can contribute content, such as collaborative teams or public-facing instances. Although no exploits are known in the wild, the ease of exploitation via crafted links and the broad scope of potential local effects make this a notable threat.

Organizations should upgrade Vikunja Desktop to version 2.2.0 or later, where the vulnerability is patched with proper URL validation and protocol allowlisting. Until upgrade is possible, administrators should restrict or sanitize user-generated content to prevent injection of links with target="_blank" or other window.open triggers. Implement content security policies or input validation to disallow arbitrary URLs or custom URI schemes in user inputs. Educate users to be cautious about clicking links from untrusted sources within the application. Consider deploying endpoint protection solutions that monitor and block suspicious protocol handler invocations. Additionally, review and limit the use of custom URI schemes on client systems to reduce attack surface. Regularly audit and monitor logs for unusual external application launches triggered from Vikunja Desktop. These steps combined will reduce the risk of exploitation and limit potential damage.