PT-2026-60237 · Unknown · Cherry-Studio
Hanyin
·
Published
2026-07-15
·
Updated
2026-07-15
·
CVE-2026-40501
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Cherry Studio versions 1.2.2 through 1.9.12
Description
A remote code execution issue exists in the SearchService. Remote attackers can execute arbitrary code by delivering malicious JavaScript through controlled search provider content. This occurs when content is loaded into an Electron BrowserWindow configured with
nodeIntegration enabled and contextIsolation disabled. Attackers controlling a search engine provider, individual search result pages, or provider settings pages can execute JavaScript with full Node.js privileges, granting access to fs, child process, os, and process.env under the operating-system account of the Cherry Studio process.Recommendations
Update Cherry Studio versions 1.2.2 through 1.9.12 to the version containing commit 1518530.
Exploit
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cherry-Studio