CVE-2026-34779
Published: 04 April 2026
Summary
CVE-2026-34779 is a medium-severity OS Command Injection (CWE-78) vulnerability in Electronjs Electron. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique AppleScript (T1059.002); ranked at the 1.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely patching of the vulnerable Electron versions (prior to 38.8.6, 39.8.1, 40.8.0, 41.0.0-beta.8) to remediate the AppleScript injection flaw.
Enables automated scanning to identify systems and applications using vulnerable Electron versions affected by this macOS-specific path handling issue.
Addresses the CWE-78 OS command injection root cause by enforcing validation of crafted application bundle paths before AppleScript execution in Electron apps.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables arbitrary AppleScript execution via flawed path handling in the app.moveToApplicationsFolder() API (CWE-78 OS Command Injection), directly facilitating T1059.002.
NVD Description
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8, on macOS, app.moveToApplicationsFolder() used an AppleScript fallback path that did not properly handle certain characters in the application…
more
bundle path. Under specific conditions, a crafted launch path could lead to arbitrary AppleScript execution when the user accepted the move-to-Applications prompt. Apps are only affected if they call app.moveToApplicationsFolder(). Apps that do not use this API are not affected. This issue has been patched in versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8.
Deeper analysisAI
CVE-2026-34779 is a vulnerability in the Electron framework, which enables development of cross-platform desktop applications using JavaScript, HTML, and CSS. On macOS, versions prior to 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8 are affected when applications invoke the app.moveToApplicationsFolder() API. This method employs an AppleScript fallback that inadequately handles certain characters in the application bundle path, potentially enabling arbitrary AppleScript execution under specific conditions. Applications not using this API remain unaffected. The issue is classified under CWE-78 (OS Command Injection) with a CVSS v3.1 base score of 6.5 (AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L).
Exploitation requires local access (AV:L) with no privileges (PR:N), high attack complexity (AC:H), and user interaction (UI:R), such as accepting a move-to-Applications prompt. An attacker could craft a malicious launch path for the application, leveraging the flawed AppleScript handling to execute arbitrary commands on the system. Successful exploitation yields high impacts on confidentiality and integrity (C:H/I:H), with low availability impact (A:L), potentially allowing data exfiltration, modification, or other system compromise depending on the executed AppleScript.
The Electron security advisory (GHSA-5rqw-r77c-jp79) confirms patches in versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8, recommending immediate upgrades for affected applications. Developers should verify usage of app.moveToApplicationsFolder() and apply the fixes to mitigate risks on macOS deployments.
Details
- CWE(s)