PT-2026-46090 — Launch-Editor+1

PT-2026-46090 · Npm · Launch-Editor+1

Published

2026-06-03

Updated

2026-06-03

CVSS v4.0

7.5

High

Vector

AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Summary

Due to the insufficient sanitization of the file argument in the launchEditor, an attacker can execute arbitrary commands on Windows by supplying a filename that contains special characters.

Impact

If the following conditions are met, an attacker can execute arbitrary commands on the computer that is using the launch-editor:

An attacker can place a file with the malicious filename
An attacker can call the launchEditor method with the file argument controlled
The launch-editor package is running on Windows

For example, some development server using this package satisfy these conditions, as a malicious website might be able to force the downloading of a file and the path of that file is predictable.

Patch

This issue has been fixed in the launch-editor version 2.9.0 (commit).

Fix

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77

Related Identifiers

GHSA-C27G-Q93R-2CWF

Affected Products

Launch-Editor