CVE-2026-33334— Vikunja Desktop: Any frontend XSS escalates to Remote Code Execution due to nodeIntegration

Vikunja Desktop: Any frontend XSS escalates to Remote Code Execution due to nodeIntegration

Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper enables `nodeIntegration` in the renderer process without `contextIsolation` or `sandbox`. This means any cross-site scripting (XSS) vulnerability in the Vikunja web frontend -- present or future -- automatically escalates to full remote code execution on the victim's machine, as injected scripts gain access to Node.js APIs. Version 2.2.0 fixes the issue.

N/A

对生成代码的控制不恰当(代码注入)

Vikunja 安全漏洞

Vikunja是Vikunja开源的一个待办事项应用程序。 Vikunja 0.21.0至2.2.0之前版本存在安全漏洞，该漏洞源于Vikunja Desktop Electron包装器在渲染进程中启用了nodeIntegration但未启用contextIsolation或sandbox，可能导致任何跨站脚本漏洞自动升级为在受害者机器上执行完整远程代码。

N/A

N/A