Apple
CVE-2026-34779
MEDIUM
Severity by source
AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact
On macOS, app.moveToApplicationsFolder() used an AppleScript fallback path that did not properly handle certain characters in the application bundle path. Under specific conditions, a crafted launch path could lead to arbitrary AppleScript execution when the user accepted the move-to-Applications prompt.
Apps are only affected if they call app.moveToApplicationsFolder(). Apps that do not use this API are not affected.
Workarounds
There are no app side workarounds, developers must update to a patched version of Electron.
Fixed Versions
41.0.0-beta.840.8.039.8.138.8.6
For more information
If there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org)
AnalysisAI
Electron's moveToApplicationsFolder() API on macOS improperly sanitizes application bundle paths in AppleScript fallback code, allowing arbitrary AppleScript execution when a user accepts a move-to-Applications prompt on a system with a crafted path. Remote code execution is possible if an attacker can control the installation path or launch context of an Electron application; however, this requires user interaction (accepting the move prompt) and is limited to local attack surface. No public exploit code or active exploitation has been identified. CVSS 6.5 reflects moderate risk due to local-only attack vector and user interaction requirement, though the impact (code execution) is severe.
Technical ContextAI
The vulnerability exists in Electron's implementation of the moveToApplicationsFolder() function on macOS, which provides a user-friendly mechanism to move applications to the Applications folder. The affected code uses an AppleScript fallback path for older or unsupported macOS versions that does not properly validate or escape special characters in the application bundle path before constructing and executing AppleScript commands. AppleScript is a high-level scripting language that runs with the privileges of the application invoking it; when crafted paths containing metacharacters (such as quotes, backticks, or semicolons) are embedded into dynamically constructed AppleScript strings, they can break out of the intended command context and execute arbitrary operations. This is a classic command injection vulnerability (CWE-78) affecting the npm/electron package across multiple major versions.
RemediationAI
Electron developers must upgrade to patched versions immediately: Electron 38.8.6, 39.8.1, 40.8.0, or 41.0.0-beta.8 or later. These versions correct the AppleScript path sanitization to properly escape special characters before command construction. No application-level workarounds exist; the fix must be applied at the Electron framework level. Developers should update their npm/electron dependency to one of the fixed versions, rebuild their applications, and redistribute to users. Organizations that package or distribute Electron applications should verify that their build pipelines use patched Electron versions before final release. Consult the official GitHub Security Advisory (https://github.com/electron/electron/security/advisories/GHSA-5rqw-r77c-jp79) for additional context and timeline information.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-5rqw-r77c-jp79