Platform
javascript
Component
electron
Fixed in
38.8.7
39.0.1
40.0.1
41.0.1
CVE-2026-34779 is a security vulnerability affecting Electron applications on macOS. This vulnerability allows for arbitrary AppleScript execution under specific conditions when an application attempts to move itself to the Applications folder. The issue arises from an improper handling of characters in the application bundle path within the app.moveToApplicationsFolder() function. Affected versions include 38.0.0–>= 41.0.0-alpha.1, < 41.0.0-beta.8; a fix is available in Electron 38.8.6.
An attacker could exploit this vulnerability by crafting a malicious launch path that, when accepted by the user during the move-to-Applications prompt, triggers arbitrary AppleScript code execution. This could lead to a wide range of malicious activities, including data theft, system compromise, and potentially remote code execution depending on the privileges of the Electron application. The impact is particularly concerning because it leverages the user's trust in the application moving to the Applications folder, making it a potentially stealthy attack vector. Successful exploitation requires the application to explicitly call app.moveToApplicationsFolder(), limiting the scope of affected applications. This vulnerability shares similarities with other AppleScript injection vulnerabilities where improper input validation leads to unintended code execution.
This vulnerability was publicly disclosed on 2026-04-04. There is currently no indication of active exploitation in the wild. No public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The CVSS score of 6.5 (Medium) suggests a moderate probability of exploitation if a PoC is developed and widely distributed.
Exploit Status
EPSS
0.03% (7% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34779 is to upgrade Electron to version 38.8.6 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the app.moveToApplicationsFolder() functionality within the application. While not a complete solution, this can reduce the attack surface. Additionally, implement strict input validation on any user-provided data used in the application bundle path to prevent malicious characters from being injected. There are no specific WAF or proxy rules that can directly address this vulnerability, as it occurs within the application itself. Detection can be challenging, but monitoring for unusual AppleScript activity originating from Electron applications is recommended.
Update Electron to version 38.8.6, 39.8.1, 40.8.0, or 41.0.0-beta.8 or later to mitigate the AppleScript injection vulnerability. Ensure you test the new version in your environment before deploying to production. Avoid using `app.moveToApplicationsFolder()` if not absolutely necessary.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34779 is a medium severity vulnerability in Electron affecting macOS applications. It allows for arbitrary AppleScript execution if a crafted launch path is used when moving the application to the Applications folder.
You are affected if you use Electron versions 38.0.0–>= 41.0.0-alpha.1, < 41.0.0-beta.8 and your application calls app.moveToApplicationsFolder(). Applications that don't use this API are not affected.
Upgrade Electron to version 38.8.6 or later. If upgrading is not possible, temporarily disable app.moveToApplicationsFolder() and implement strict input validation on file paths.
There is currently no indication of active exploitation in the wild, and no public proof-of-concept code is available.
Refer to the official Electron security advisories on the Electron GitHub repository: https://github.com/electron/electron/security
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.