Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-hynm-7wty-ruhq
Vulnerability ID VCID-hynm-7wty-ruhq
Aliases CVE-2026-34779
GHSA-5rqw-r77c-jp79
Summary Electron: AppleScript injection in app.moveToApplicationsFolder on macOS ### Impact On macOS, `app.moveToApplicationsFolder()` used an AppleScript fallback path that did not properly handle certain characters in the application bundle path. Under specific conditions, a crafted launch path could lead to arbitrary AppleScript execution when the user accepted the move-to-Applications prompt. Apps are only affected if they call `app.moveToApplicationsFolder()`. Apps that do not use this API are not affected. ### Workarounds There are no app side workarounds, developers must update to a patched version of Electron. ### Fixed Versions * `41.0.0-beta.8` * `40.8.0` * `39.8.1` * `38.8.6` ### For more information If there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org)
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.0001 https://api.first.org/data/v1/epss?cve=CVE-2026-34779
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2026-34779
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2026-34779
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2026-34779
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2026-34779
epss 0.00025 https://api.first.org/data/v1/epss?cve=CVE-2026-34779
epss 0.00025 https://api.first.org/data/v1/epss?cve=CVE-2026-34779
epss 0.00026 https://api.first.org/data/v1/epss?cve=CVE-2026-34779
epss 0.00026 https://api.first.org/data/v1/epss?cve=CVE-2026-34779
epss 0.00026 https://api.first.org/data/v1/epss?cve=CVE-2026-34779
epss 9e-05 https://api.first.org/data/v1/epss?cve=CVE-2026-34779
epss 9e-05 https://api.first.org/data/v1/epss?cve=CVE-2026-34779
epss 9e-05 https://api.first.org/data/v1/epss?cve=CVE-2026-34779
epss 9e-05 https://api.first.org/data/v1/epss?cve=CVE-2026-34779
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-5rqw-r77c-jp79
cvssv3.1 6.5 https://github.com/electron/electron
generic_textual MODERATE https://github.com/electron/electron
cvssv3.1 6.5 https://github.com/electron/electron/security/advisories/GHSA-5rqw-r77c-jp79
cvssv3.1_qr MODERATE https://github.com/electron/electron/security/advisories/GHSA-5rqw-r77c-jp79
generic_textual MODERATE https://github.com/electron/electron/security/advisories/GHSA-5rqw-r77c-jp79
ssvc Track https://github.com/electron/electron/security/advisories/GHSA-5rqw-r77c-jp79
cvssv3.1 6.5 https://nvd.nist.gov/vuln/detail/CVE-2026-34779
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2026-34779
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-34779
https://github.com/electron/electron
https://github.com/electron/electron/security/advisories/GHSA-5rqw-r77c-jp79
https://nvd.nist.gov/vuln/detail/CVE-2026-34779
GHSA-5rqw-r77c-jp79 https://github.com/advisories/GHSA-5rqw-r77c-jp79
No exploits are available.
Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L Found at https://github.com/electron/electron
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L Found at https://github.com/electron/electron/security/advisories/GHSA-5rqw-r77c-jp79
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-06T15:49:50Z/ Found at https://github.com/electron/electron/security/advisories/GHSA-5rqw-r77c-jp79
Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2026-34779
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.01128
EPSS Score 0.0001
Published At May 7, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-03T21:42:21.596791+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-5rqw-r77c-jp79/GHSA-5rqw-r77c-jp79.json 38.1.0