PT-2026-54018 · Npm · Electron-Updater
Published
2026-06-30
·
Updated
2026-07-01
·
CVE-2026-54672
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
electron-updater versions prior to 26.15.0
Description
AppImage targets built by app-builder-lib can use an empty path component when setting the
LD LIBRARY PATH environment variable at runtime. This behavior causes the current working directory to be added to the dynamic linker search path, potentially allowing an attacker to execute arbitrary code by placing a malicious shared library in the directory from which the AppImage is launched.Recommendations
Update to version 26.15.0 or later.
Fix
Uncontrolled Search Path Element
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Electron-Updater