CVE-2026-42184

Name of the Vulnerable Software and Affected Versions Tauri versions 2.0 through 2.10.2

Description A flaw in the is local url() function causes remote URLs to be incorrectly classified as trusted local origins on Windows and Android. On these platforms, Tauri maps custom URI scheme protocols to http://<scheme>.localhost/ because the WebView implementations cannot serve custom URI schemes directly. The issue arises because the check for local origins only validates the first subdomain of the URL. An attacker can exploit this by hosting a page on a domain where the first subdomain matches the application's custom scheme (e.g., http://app.attacker.com/). This allows an attacker-controlled page to invoke backend commands that were intended to be restricted to the application's own frontend and protected from external or remote origins.

Recommendations Update to version 2.10.3.