Back to overview

CVE-2026-40501

HIGH Exploitation: PoC
8.8
CVSS 3.1
Description
Cherry Studio versions 1.2.2 through 1.9.12, fixed in commit 1518530, contain a remote code execution vulnerability in SearchService that allows remote attackers to execute arbitrary code by delivering malicious JavaScript through controlled search provider content loaded into an Electron BrowserWindow configured with nodeIntegration enabled and contextIsolation disabled. Attackers who control a search engine provider, individual search result pages, or provider settings pages can execute JavaScript with full Node.js privileges, gaining access to fs, child_process, os, and process.env under the operating-system account of the Cherry Studio process.

Metadata

CVE ID
CVE-2026-40501
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-04-13 20:29 UTC
Published
2026-07-15 17:41 UTC
Last updated
2026-07-15 18:09 UTC
Primary CWE
CWE-829
Inclusion of Functionality from Untrusted Control Sphere
Vendor / Product
CherryHQ / cherry-studio
Sources
cve.org  ·  NVD

Severity & Metrics

8.8 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SSVC — CISA Coordinator
Exploitation
PoC
Automatable
no
Tech. Impact
total
Affected products (1)
VendorProductPlatformVersions
CherryHQ cherry-studio 1.2.2 ≤ 1.9.12, f9c6bddae5b91cc50872c76e791105fa219d0d34 ≤ 151853035e8e417a51559ebfc243eda98361a882
Weakness (CWE)
CWESourceDescription
CWE-829 cna Inclusion of Functionality from Untrusted Control Sphere
CVSS scores (2)
ScoreSeverityVersionSourceVector
8.8 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.6 HIGH 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Back to overview