CVE-2026-44225

Name of the Vulnerable Software and Affected Versions Pulpy versions prior to 0.1.1

Description Pulpy injects a pulpy.fs JavaScript API into packaged web applications to provide host filesystem access. The validateFsPath() function, intended to sandbox this access, contains an incomplete blocklist. This allows any packaged web application to read and write arbitrary files within the user's home directory, such as ~/.ssh/id rsa, ~/.aws/credentials, and ~/Library/Keychains/.

Recommendations Update to version 0.1.1.