CVE-2026-34779: AppleScript Injection in Electron ≤38.8.6
Platform
nodejs
Component
electron
Fixed in
38.8.6
CVE-2026-34779 describes an AppleScript injection vulnerability in Electron on macOS. Specifically, `app.moveToApplicationsFolder()` used an insecure AppleScript fallback, potentially allowing arbitrary script execution if a crafted launch path is used and the user accepts the move prompt. This affects Electron versions up to 38.8.6. The vulnerability is fixed in Electron versions 41.0.0-beta.8 and 40.8.0.
How to fix
Actualice Electron a la versión 38.8.6, 39.8.1, 40.8.0 o 41.0.0-beta.8 o superior para mitigar la vulnerabilidad de inyección de AppleScript. Asegúrese de probar exhaustivamente la aplicación actualizada para garantizar la compatibilidad y la funcionalidad correcta después de la actualización. Evite el uso de `app.moveToApplicationsFolder()` si no es absolutamente necesario.
Frequently asked questions
What is CVE-2026-34779?
CVE-2026-34779 is an AppleScript injection vulnerability in Electron's `app.moveToApplicationsFolder()` on macOS, allowing potential arbitrary script execution.
Am I affected by CVE-2026-34779?
You are affected if your Electron application on macOS calls `app.moveToApplicationsFolder()` and uses a version less than or equal to 38.8.6.
How do I fix CVE-2026-34779?
Upgrade your Electron application to version 41.0.0-beta.8, 40.8.0, or a later version to patch this vulnerability.
Monitor your dependencies automatically
Get notified when new vulnerabilities affect your projects. Free forever.
Start free