PT-2026-60237 · Unknown · Cherry-Studio

Hanyin

·

Published

2026-07-15

·

Updated

2026-07-15

·

CVE-2026-40501

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Cherry Studio versions 1.2.2 through 1.9.12
Description A remote code execution issue exists in the SearchService. Remote attackers can execute arbitrary code by delivering malicious JavaScript through controlled search provider content. This occurs when content is loaded into an Electron BrowserWindow configured with nodeIntegration enabled and contextIsolation disabled. Attackers controlling a search engine provider, individual search result pages, or provider settings pages can execute JavaScript with full Node.js privileges, granting access to fs, child process, os, and process.env under the operating-system account of the Cherry Studio process.
Recommendations Update Cherry Studio versions 1.2.2 through 1.9.12 to the version containing commit 1518530.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-40501

Affected Products

Cherry-Studio