CVE-2026-21853

Name of the Vulnerable Software and Affected Versions AFFiNE versions prior to 0.25.4

Description AFFiNE is an open-source workspace and operating system. Versions prior to 0.25.4 contain a one-click remote code execution issue. An attacker can exploit this by embedding a specially crafted affine: URL on a website. Exploitation occurs when a victim visits a malicious website that redirects to the URL, or clicks a crafted link on a legitimate website. This triggers the AFFiNE custom URL handler, launching the application and processing the URL, resulting in arbitrary code execution on the victim’s machine without further interaction.

Recommendations Update to version 0.25.4 or later.