electron-builder
CVE-2026-54672
HIGH
Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local search-path hijack needs the victim to launch from the attacker-staged directory, so AV:L and UI:R; attacker-controlled library yields full C/I/A impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
electron-updater allows for automatic updates for Electron apps. Prior to 26.15.0, AppImage targets built by app-builder-lib could use an empty path component when setting the LD_LIBRARY_PATH environment variable at runtime. This causes the current working directory to be added to the dynamic linker search path, which may allow an attacker to execute arbitrary code by placing a malicious shared library in the directory from which the AppImage is launched. This issue has been fixed in version 26.15.0.
AnalysisAI
Local arbitrary code execution in electron-builder (app-builder-lib) AppImage targets prior to 26.15.0 occurs because an empty path component in the runtime-set LD_LIBRARY_PATH adds the current working directory to the dynamic linker search path, letting an attacker who can plant a malicious shared library in the AppImage's launch directory hijack library loading. The flaw affects Linux AppImage bundles produced by app-builder-lib (the packaging engine behind electron-builder/electron-updater) and is fixed in 26.15.0. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the AppImage to have been built by a vulnerable app-builder-lib/electron-builder version (prior to 26.15.0) such that LD_LIBRARY_PATH contains an empty path component, the attacker to have write access to the directory from which the AppImage is launched in order to place a malicious shared library matching a loaded library name, and the victim to launch that AppImage from that same working directory. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (7.8 High) is internally consistent with a local search-path hijack: local attack vector, low complexity, and low privileges (the attacker needs the ability to drop a file in the launch directory and the victim to run the AppImage from there). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker drops a malicious shared library (named to match one the Electron app loads) into a directory a victim is likely to run an AppImage from - such as a shared download folder or /tmp on a multi-user host. When the victim launches the vulnerable AppImage from that directory, the empty LD_LIBRARY_PATH component causes ld.so to load the attacker's `.so` from the current directory, executing code as the victim. … |
| Remediation | Vendor-released patch: 26.15.0 - upgrade app-builder-lib/electron-builder to 26.15.0 or later and rebuild all Linux AppImage targets so the corrected LD_LIBRARY_PATH (without empty components) is emitted, then redistribute the rebuilt artifacts to end users. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all development and production systems running electron-builder/app-builder-lib, with focus on versions predating 26.15.0 and any deployed AppImage bundles. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Electron Builder
View allelectron-updater allows for automatic updates for Electron apps. Rated high severity (CVSS 7.5), this vulnerability is r
Credential leakage in electron-updater (the auto-update component of electron-builder / builder-util-runtime) before 9.7
electron-builder is a solution to package and build a ready for distribution Electron, Proton Native app for macOS, Wind
Same weakness CWE-427 – Uncontrolled Search Path Element
View allShare
External POC / Exploit Code
Leaving vuln.today