CVE-2026-34779

MEDIUM 6.5

Electron: AppleScript injection in app.moveToApplicationsFolder on macOS

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

6th

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8, on macOS, app.moveToApplicationsFolder() used an AppleScript fallback path that did not properly handle certain characters in the application bundle path. Under specific conditions, a crafted launch path could lead to arbitrary AppleScript execution when the user accepted the move-to-Applications prompt. Apps are only affected if they call app.moveToApplicationsFolder(). Apps that do not use this API are not affected. This issue has been patched in versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8.

CWE	CWE-78
Vendor	electron
Product	electron
Published	Apr 4, 2026
Last Updated	Apr 8, 2026

Stay Ahead of the Next One

Get instant alerts for electron electron

Be the first to know when new medium vulnerabilities affecting electron electron are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L

Attack Vector

Local

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

Low

Affected Versions

electron / electron

< 38.8.6 >= 39.0.0-alpha.1, < 39.8.1 >= 40.0.0-alpha.1, < 40.8.0 >= 41.0.0-alpha.1, < 41.0.0-beta.8

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/electron/electron/security/advisories/GHSA-5rqw-r77c-jp79