PT-2026-54018 · Npm · Electron-Updater

Published

2026-06-30

·

Updated

2026-07-01

·

CVE-2026-54672

CVSS v3.1

7.8

High

VectorAV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions electron-updater versions prior to 26.15.0
Description AppImage targets built by app-builder-lib can use an empty path component when setting the LD LIBRARY PATH environment variable at runtime. This behavior causes the current working directory to be added to the dynamic linker search path, potentially allowing an attacker to execute arbitrary code by placing a malicious shared library in the directory from which the AppImage is launched.
Recommendations Update to version 26.15.0 or later.

Fix

Uncontrolled Search Path Element

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-54672

Affected Products

Electron-Updater