CVE-2026-33336 is a critical security vulnerability in the Vikunja Desktop Electron wrapper affecting versions >=0.21.0 and <2.2.0. The root cause lies in two misconfigurations: first, the Electron BrowserWindow is created with nodeIntegration set to true, granting any loaded page full access to Node.js APIs such as 'require', 'child_process', and 'fs'. Second, the application does not implement a 'will-navigate' or 'will-redirect' event handler on the webContents, which means same-window navigations triggered by user clicks on links or redirects are not intercepted or blocked. Attackers with normal user privileges on the same Vikunja instance can insert sanitized but malicious hyperlinks into user-generated content like task descriptions or project descriptions. When a victim clicks such a link in the Vikunja Desktop app, the BrowserWindow navigates to the attacker-controlled URL within the same renderer process. Because nodeIntegration is enabled, the attacker's page executes JavaScript with full Node.js privileges, allowing arbitrary command execution on the victim's OS user context. This can lead to reading/writing arbitrary files, installing malware, exfiltrating credentials, and full system compromise. The vulnerability does not require traditional cross-site scripting since the link is a legitimate anchor tag allowed by DOMPurify sanitization. The issue is fixed in Vikunja Desktop version 2.2.0 by disabling nodeIntegration or restricting navigation. The CVSS 4.0 vector (AV:N/AC:L/AT:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H) indicates network attack vector, low complexity, no privileges or authentication required, user interaction needed, and high scope impact on confidentiality, integrity, and availability.

This vulnerability enables full remote code execution on the victim's desktop via a seemingly benign hyperlink in user-generated content. The attacker can execute arbitrary OS commands with the victim user's privileges, leading to potential data theft, malware installation, persistence mechanisms, lateral movement, and complete system compromise. Since Vikunja is a task management platform often used in collaborative environments, attackers can leverage normal membership to escalate attacks against other users. The impact extends beyond confidentiality breaches to integrity and availability, as attackers can modify or delete files, disrupt workflows, or deploy ransomware. The ease of exploitation—requiring only a user click on a sanitized link—makes this a high-risk threat for organizations relying on Vikunja Desktop. The lack of known exploits in the wild currently limits immediate widespread impact, but the vulnerability’s presence in open-source software with growing adoption poses a significant future risk if unpatched.

1. Upgrade Vikunja Desktop to version 2.2.0 or later, where nodeIntegration is disabled or navigation restrictions are implemented. 2. If upgrading is not immediately possible, disable nodeIntegration manually in the Electron BrowserWindow configuration to prevent Node.js API access from renderer processes. 3. Implement 'will-navigate' and 'will-redirect' event handlers in the Electron app to intercept and block or validate all navigation attempts, especially same-window navigations triggered by user clicks or redirects. 4. Restrict or sanitize user-generated content to disallow or neutralize clickable links that could lead to external origins. 5. Educate users to avoid clicking suspicious links within the application, especially from untrusted collaborators. 6. Employ endpoint protection solutions capable of detecting anomalous process executions initiated by Electron apps. 7. Monitor network traffic for unexpected connections to external domains originating from Vikunja Desktop. 8. Consider sandboxing or running Vikunja Desktop in restricted environments to limit damage from potential exploitation.