PT-2026-30009 · Electron · Electron
Vertedindepublished
·
Published
2026-04-03
·
Updated
2026-04-04
·
CVE-2026-34779
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Electron versions prior to 38.8.6, prior to 39.8.1, prior to 40.8.0, and prior to 41.0.0-beta.8
Description
On macOS, the
app.moveToApplicationsFolder() function used an AppleScript fallback path that did not correctly handle certain characters in the application bundle path. This could allow for arbitrary AppleScript execution when a user accepted the move-to-Applications prompt, if the application bundle path was crafted maliciously. Applications are only affected if they call the app.moveToApplicationsFolder() function.Recommendations
Update to Electron version 38.8.6 or later.
Update to Electron version 39.8.1 or later.
Update to Electron version 40.8.0 or later.
Update to Electron version 41.0.0-beta.8 or later.
Fix
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Electron