CVE-2026-54672
Received Received - Intake

electron-updater LD_LIBRARY_PATH Path Traversal Vulnerability

Vulnerability report for CVE-2026-54672, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: GitHub, Inc.

Description

electron-updater allows for automatic updates for Electron apps. Prior to 26.15.0, AppImage targets built by app-builder-lib could use an empty path component when setting the LD_LIBRARY_PATH environment variable at runtime. This causes the current working directory to be added to the dynamic linker search path, which may allow an attacker to execute arbitrary code by placing a malicious shared library in the directory from which the AppImage is launched. This issue has been fixed in version 26.15.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
electron-updater electron-updater 26.15.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-427 The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability exists in electron-updater versions prior to 26.15.0 when using AppImage targets built by app-builder-lib. It allows an empty path component to be set in the LD_LIBRARY_PATH environment variable at runtime. This causes the current working directory to be included in the dynamic linker search path.

Because of this, an attacker could place a malicious shared library in the directory from which the AppImage is launched, leading to the execution of arbitrary code.

This issue was fixed in version 26.15.0.

Impact Analysis

This vulnerability can allow an attacker with limited privileges to execute arbitrary code on your system by placing a malicious shared library in the directory where the AppImage is launched.

The impact includes potential full compromise of confidentiality, integrity, and availability of the affected system or application, as indicated by the CVSS score which rates confidentiality, integrity, and availability impacts as high.

Mitigation Strategies

To mitigate this vulnerability, update electron-updater to version 26.15.0 or later, where the issue has been fixed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54672. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart