Skip to main content

Apple CVE-2026-34779

MEDIUM
OS Command Injection (CWE-78)
2026-04-03 https://github.com/electron/electron GHSA-5rqw-r77c-jp79
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

3
Patch released
Apr 03, 2026 - 08:30 nvd
Patch available
Analysis Generated
Apr 03, 2026 - 03:00 vuln.today
CVE Published
Apr 03, 2026 - 02:46 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

Impact

On macOS, app.moveToApplicationsFolder() used an AppleScript fallback path that did not properly handle certain characters in the application bundle path. Under specific conditions, a crafted launch path could lead to arbitrary AppleScript execution when the user accepted the move-to-Applications prompt.

Apps are only affected if they call app.moveToApplicationsFolder(). Apps that do not use this API are not affected.

Workarounds

There are no app side workarounds, developers must update to a patched version of Electron.

Fixed Versions

  • 41.0.0-beta.8
  • 40.8.0
  • 39.8.1
  • 38.8.6

For more information

If there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org)

AnalysisAI

Electron's moveToApplicationsFolder() API on macOS improperly sanitizes application bundle paths in AppleScript fallback code, allowing arbitrary AppleScript execution when a user accepts a move-to-Applications prompt on a system with a crafted path. Remote code execution is possible if an attacker can control the installation path or launch context of an Electron application; however, this requires user interaction (accepting the move prompt) and is limited to local attack surface. No public exploit code or active exploitation has been identified. CVSS 6.5 reflects moderate risk due to local-only attack vector and user interaction requirement, though the impact (code execution) is severe.

Technical ContextAI

The vulnerability exists in Electron's implementation of the moveToApplicationsFolder() function on macOS, which provides a user-friendly mechanism to move applications to the Applications folder. The affected code uses an AppleScript fallback path for older or unsupported macOS versions that does not properly validate or escape special characters in the application bundle path before constructing and executing AppleScript commands. AppleScript is a high-level scripting language that runs with the privileges of the application invoking it; when crafted paths containing metacharacters (such as quotes, backticks, or semicolons) are embedded into dynamically constructed AppleScript strings, they can break out of the intended command context and execute arbitrary operations. This is a classic command injection vulnerability (CWE-78) affecting the npm/electron package across multiple major versions.

RemediationAI

Electron developers must upgrade to patched versions immediately: Electron 38.8.6, 39.8.1, 40.8.0, or 41.0.0-beta.8 or later. These versions correct the AppleScript path sanitization to properly escape special characters before command construction. No application-level workarounds exist; the fix must be applied at the Electron framework level. Developers should update their npm/electron dependency to one of the fixed versions, rebuild their applications, and redistribute to users. Organizations that package or distribute Electron applications should verify that their build pipelines use patched Electron versions before final release. Consult the official GitHub Security Advisory (https://github.com/electron/electron/security/advisories/GHSA-5rqw-r77c-jp79) for additional context and timeline information.

Share

CVE-2026-34779 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy