Volerion logoVolerion
Volerion logoVolerion

launch-editor Command Injection Vulnerability on Windows

Vulnerability

A command injection vulnerability has been identified in the launch-editor package, specifically in versions through 2.8.2. The issue arises from inadequate sanitization of the file argument in the launchEditor function, allowing attackers to execute arbitrary commands on Windows systems. This vulnerability can be exploited by supplying a filename that includes special characters. The problem has been addressed in launch-editor version 2.9.0, which is compatible with Vite version 5.4.9.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected Windows system.

Reproduction

To reproduce this vulnerability, a file must be created with a name that includes special characters, such as '&', which can be used to concatenate commands in the Windows command line. This file should then be opened using the launchEditor function, with the file argument set to the crafted filename. The launch-editor package must be running on a Windows environment for the vulnerability to be exploited.

Remediation

Users can upgrade to launch-editor version 2.9.0 to address this vulnerability.

Added: Jun 1, 2026, 7:47 PM
Updated: Jun 1, 2026, 7:47 PM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
10.0
exploitability
7.2
remediation
0.0
relevance
9.7
threat
4.8
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.