Primary

Context

Electron AppleScript Injection Vulnerability in app.moveToApplicationsFolder on macOS

Vulnerability

A vulnerability in Electron's app.moveToApplicationsFolder() function on macOS prior to versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8 allows for arbitrary execution of AppleScript. This issue arises because the function's fallback path does not correctly manage certain characters in the application bundle path. If an application using this API is tricked into accepting the move-to-Applications prompt, it could execute crafted AppleScript commands.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of AppleScript, potentially allowing for manipulation of the user's system or applications.

Remediation

Users must update to Electron versions 38.8.6, 39.8.1, 40.8.0, or 41.0.0-beta.8 to address this vulnerability.

Added: Apr 4, 2026, 12:18 AM

Updated: Apr 4, 2026, 12:18 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

2.4

remediation

0.0

relevance

5.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

2.4

remediation

0.0

relevance

5.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Electron AppleScript Injection Vulnerability in app.moveToApplicationsFolder on macOS

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating