Name of the Vulnerable Software and Affected Versions:

Figma Desktop versions 125.6.5

Description:

Figma Desktop for Windows version 125.6.5 contains a command injection issue in the local plugin loader. An attacker can execute arbitrary OS commands by setting a crafted `build` field in the plugin's `manifest.json`. This field is passed to `child process.exec` without validation, potentially leading to remote code execution (RCE).

Recommendations:

Update to a newer version that contains a fix for this issue. As a temporary workaround, consider restricting the use of local plugins until a patch is available.