Skip to main content

electron-builder CVE-2026-54672

HIGH
Uncontrolled Search Path Element (CWE-427)
2026-06-30 GitHub_M
7.8
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.3 HIGH

Local search-path hijack needs the victim to launch from the attacker-staged directory, so AV:L and UI:R; attacker-controlled library yields full C/I/A impact.

3.1 AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 30, 2026 - 23:26 vuln.today

DescriptionCVE.org

electron-updater allows for automatic updates for Electron apps. Prior to 26.15.0, AppImage targets built by app-builder-lib could use an empty path component when setting the LD_LIBRARY_PATH environment variable at runtime. This causes the current working directory to be added to the dynamic linker search path, which may allow an attacker to execute arbitrary code by placing a malicious shared library in the directory from which the AppImage is launched. This issue has been fixed in version 26.15.0.

AnalysisAI

Local arbitrary code execution in electron-builder (app-builder-lib) AppImage targets prior to 26.15.0 occurs because an empty path component in the runtime-set LD_LIBRARY_PATH adds the current working directory to the dynamic linker search path, letting an attacker who can plant a malicious shared library in the AppImage's launch directory hijack library loading. The flaw affects Linux AppImage bundles produced by app-builder-lib (the packaging engine behind electron-builder/electron-updater) and is fixed in 26.15.0. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local write access to launch directory
Delivery
Plant malicious .so matching a loaded library
Exploit
Victim runs AppImage from that directory
Execution
Empty LD_LIBRARY_PATH entry resolves '.'
Persist
ld.so loads attacker library
Impact
Arbitrary code executes as victim

Vulnerability AssessmentAI

Exploitation Exploitation requires the AppImage to have been built by a vulnerable app-builder-lib/electron-builder version (prior to 26.15.0) such that LD_LIBRARY_PATH contains an empty path component, the attacker to have write access to the directory from which the AppImage is launched in order to place a malicious shared library matching a loaded library name, and the victim to launch that AppImage from that same working directory. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (7.8 High) is internally consistent with a local search-path hijack: local attack vector, low complexity, and low privileges (the attacker needs the ability to drop a file in the launch directory and the victim to run the AppImage from there). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker drops a malicious shared library (named to match one the Electron app loads) into a directory a victim is likely to run an AppImage from - such as a shared download folder or /tmp on a multi-user host. When the victim launches the vulnerable AppImage from that directory, the empty LD_LIBRARY_PATH component causes ld.so to load the attacker's `.so` from the current directory, executing code as the victim. …
Remediation Vendor-released patch: 26.15.0 - upgrade app-builder-lib/electron-builder to 26.15.0 or later and rebuild all Linux AppImage targets so the corrected LD_LIBRARY_PATH (without empty components) is emitted, then redistribute the rebuilt artifacts to end users. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all development and production systems running electron-builder/app-builder-lib, with focus on versions predating 26.15.0 and any deployed AppImage bundles. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54672 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy