CVE-2026-34779
Received Received - Intake
AppleScript Injection via app.moveToApplicationsFolder() in Electron

Publication date: 2026-04-04

Last updated on: 2026-04-14

Assigner: GitHub, Inc.

Description
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8, on macOS, app.moveToApplicationsFolder() used an AppleScript fallback path that did not properly handle certain characters in the application bundle path. Under specific conditions, a crafted launch path could lead to arbitrary AppleScript execution when the user accepted the move-to-Applications prompt. Apps are only affected if they call app.moveToApplicationsFolder(). Apps that do not use this API are not affected. This issue has been patched in versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-04
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-04-04
EPSS Evaluated
2026-06-14
NVD
CVE-2026-34779
Affected Vendors & Products
Showing 16 associated CPEs
Vendor Product Version / Range
electronjs electron 41.0.0
electronjs electron 41.0.0
electronjs electron 41.0.0
electronjs electron 41.0.0
electronjs electron 41.0.0
electronjs electron 41.0.0
electronjs electron 41.0.0
electronjs electron 41.0.0
electronjs electron 41.0.0
electronjs electron 41.0.0
electronjs electron 41.0.0
electronjs electron 41.0.0
electronjs electron 41.0.0
electronjs electron to 38.8.6 (exc)
electronjs electron From 39.0.0 (inc) to 39.8.1 (exc)
electronjs electron From 40.0.0 (inc) to 40.8.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in Electron's app.moveToApplicationsFolder() API can lead to arbitrary AppleScript execution under specific conditions, potentially causing significant confidentiality and integrity breaches.

Such breaches could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and maintaining system integrity.

However, the provided information does not explicitly discuss the direct effects on compliance with these regulations.

Executive Summary

CVE-2026-34779 is a moderate severity vulnerability in the Electron framework affecting macOS platforms. It occurs in the app.moveToApplicationsFolder() API, which uses an AppleScript fallback method to move applications to the Applications folder.

The fallback method does not properly sanitize or handle certain characters in the application bundle path. Under specific conditions, a maliciously crafted launch path can trigger arbitrary AppleScript execution when the user consents to the move-to-Applications prompt.

Only applications that explicitly call app.moveToApplicationsFolder() are vulnerable; those that do not use this API are unaffected.

Impact Analysis

Exploitation of this vulnerability requires local access and user interaction but no special privileges.

If exploited, it can lead to arbitrary AppleScript execution, which may result in significant breaches of confidentiality and integrity of the affected system.

The availability impact is low, but the attacker could potentially execute malicious commands or scripts on the victim's machine.

Detection Guidance

This vulnerability affects Electron applications on macOS that explicitly call the app.moveToApplicationsFolder() API. Detection involves identifying if any installed Electron applications use a vulnerable version of Electron prior to the patched versions 38.8.6, 39.8.1, 40.8.0, or 41.0.0-beta.8.

Since the vulnerability requires local user interaction and specific API usage, network detection is unlikely to be effective. Instead, you should check the Electron version used by your applications.

Suggested commands to detect vulnerable Electron versions on macOS systems include:

  • Find Electron applications and check their version by inspecting the app's package.json or executable metadata.
  • For example, to find Electron apps, you can use: `find /Applications -name "*.app" -exec sh -c 'defaults read "{}/Contents/Info" CFBundleIdentifier' \;`
  • Check the Electron version inside the app's resources, e.g., `cat /Applications/YourApp.app/Contents/Resources/app/package.json | grep electron`
  • Alternatively, if you have access to the app's source or build environment, verify the Electron version dependency.

There are no specific commands or network signatures to detect exploitation attempts due to the local and user-interaction nature of this vulnerability.

Mitigation Strategies

The primary and immediate mitigation step is to update any affected Electron applications to a patched version of Electron.

  • Upgrade Electron to version 38.8.6, 39.8.1, 40.8.0, or 41.0.0-beta.8 or later, as these versions contain the fix for this vulnerability.
  • If you are developing Electron applications, avoid using the app.moveToApplicationsFolder() API until you have updated to a patched Electron version.

There are no available workarounds at the application level, so patching is mandatory to prevent arbitrary AppleScript execution.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34779. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart