Nixpkgs security tracker

Login with GitHub

Suggestion detail

Untriaged
Permalink CVE-2026-34779
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): LOW
created 1 week, 3 days ago
Electron: AppleScript injection in app.moveToApplicationsFolder on macOS

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8, on macOS, app.moveToApplicationsFolder() used an AppleScript fallback path that did not properly handle certain characters in the application bundle path. Under specific conditions, a crafted launch path could lead to arbitrary AppleScript execution when the user accepted the move-to-Applications prompt. Apps are only affected if they call app.moveToApplicationsFolder(). Apps that do not use this API are not affected. This issue has been patched in versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8.

Affected products

electron
  • ==< 38.8.6
  • ==>= 41.0.0-alpha.1, < 41.0.0-beta.8
  • ==>= 39.0.0-alpha.1, < 39.8.1
  • ==>= 40.0.0-alpha.1, < 40.8.0

Matching in nixpkgs

pkgs.electron_36

Cross platform desktop application shell

pkgs.gfn-electron

Linux Desktop client for Nvidia's GeForce NOW game streaming service

pkgs.electron-mail

ElectronMail is an Electron-based unofficial desktop client for ProtonMail