Skip to main content

Electron Builder

4 CVEs product

Monthly

CVE-2026-54672 HIGH This Week

Local arbitrary code execution in electron-builder (app-builder-lib) AppImage targets prior to 26.15.0 occurs because an empty path component in the runtime-set LD_LIBRARY_PATH adds the current working directory to the dynamic linker search path, letting an attacker who can plant a malicious shared library in the AppImage's launch directory hijack library loading. The flaw affects Linux AppImage bundles produced by app-builder-lib (the packaging engine behind electron-builder/electron-updater) and is fixed in 26.15.0. No public exploit identified at time of analysis; CVSS 7.8 reflects high local impact rather than remote exposure.

RCE Electron Builder App Builder Lib
NVD GitHub
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-54673 HIGH This Week

Credential leakage in electron-updater (the auto-update component of electron-builder / builder-util-runtime) before 9.7.0 allows an attacker controlling a redirect target to harvest update-feed credentials. The HTTP redirect handler only stripped a header keyed exactly as lowercase "authorization", so PRIVATE-TOKEN (GitLab personal access tokens) and mixed-case Authorization (GitLab Bearer/OAuth) headers were forwarded to attacker-controlled cross-origin redirect destinations. There is no public exploit identified at time of analysis, but the upstream fix is published in version 9.7.0.

Gitlab Information Disclosure Electron Builder Builder Util Runtime
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.2%
CVE-2024-39698 npm HIGH POC PATCH This Week

electron-updater allows for automatic updates for Electron apps. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

XSS Microsoft Electron Builder
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2024-27303 npm HIGH PATCH This Week

electron-builder is a solution to package and build a ready for distribution Electron, Proton Native app for macOS, Windows and Linux. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity.

Apple Information Disclosure Microsoft Electron Builder
NVD GitHub
CVSS 3.1
7.3
EPSS
0.3%
EPSS 0% CVSS 7.8
HIGH This Week

Local arbitrary code execution in electron-builder (app-builder-lib) AppImage targets prior to 26.15.0 occurs because an empty path component in the runtime-set LD_LIBRARY_PATH adds the current working directory to the dynamic linker search path, letting an attacker who can plant a malicious shared library in the AppImage's launch directory hijack library loading. The flaw affects Linux AppImage bundles produced by app-builder-lib (the packaging engine behind electron-builder/electron-updater) and is fixed in 26.15.0. No public exploit identified at time of analysis; CVSS 7.8 reflects high local impact rather than remote exposure.

RCE Electron Builder App Builder Lib
NVD GitHub
EPSS 0% CVSS 8.2
HIGH This Week

Credential leakage in electron-updater (the auto-update component of electron-builder / builder-util-runtime) before 9.7.0 allows an attacker controlling a redirect target to harvest update-feed credentials. The HTTP redirect handler only stripped a header keyed exactly as lowercase "authorization", so PRIVATE-TOKEN (GitLab personal access tokens) and mixed-case Authorization (GitLab Bearer/OAuth) headers were forwarded to attacker-controlled cross-origin redirect destinations. There is no public exploit identified at time of analysis, but the upstream fix is published in version 9.7.0.

Gitlab Information Disclosure Electron Builder +1
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

electron-updater allows for automatic updates for Electron apps. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

XSS Microsoft Electron Builder
NVD GitHub
EPSS 0% CVSS 7.3
HIGH PATCH This Week

electron-builder is a solution to package and build a ready for distribution Electron, Proton Native app for macOS, Windows and Linux. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity.

Apple Information Disclosure Microsoft +1
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy