Primary

Context

Typora Command Injection Vulnerability in PDF Export Preferences

Vulnerability

A command injection vulnerability has been identified in Typora version 1.7.4, specifically within the PDF export preferences. This vulnerability allows attackers to execute arbitrary system commands by injecting malicious commands into the 'run command' input field during the PDF export process. Exploitation of this vulnerability could lead to remote code execution.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the system where Typora is running.

Reproduction

To reproduce this vulnerability, open Typora 1.7.4 and navigate to the Preferences menu. Select the PDF export tab and check the 'run command' option. Enter a reverse shell command into the provided input field. After closing the preferences window, return to the File menu, select PDF export, and click Save. The injected command will be executed, establishing a reverse shell connection.

Added: Dec 12, 2025, 8:26 PM

Updated: Dec 12, 2025, 8:26 PM

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

10.0

exploitability

4.4

remediation

0.0

relevance

1.4

threat

6.4

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

10.0

exploitability

4.4

remediation

0.0

relevance

1.4

threat

6.4

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Typora Command Injection Vulnerability in PDF Export Preferences

Vulnerability

Impact

Reproduction

Affected Products

Typora

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating