Back to overview

CVE-2026-54672

HIGH
7.8
CVSS 3.1
Description
electron-updater allows for automatic updates for Electron apps. Prior to 26.15.0, AppImage targets built by app-builder-lib could use an empty path component when setting the LD_LIBRARY_PATH environment variable at runtime. This causes the current working directory to be added to the dynamic linker search path, which may allow an attacker to execute arbitrary code by placing a malicious shared library in the directory from which the AppImage is launched. This issue has been fixed in version 26.15.0.

Metadata

CVE ID
CVE-2026-54672
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-15 22:53 UTC
Published
2026-06-30 22:15 UTC
Last updated
2026-06-30 22:15 UTC
Primary CWE
CWE-427
CWE-427: Uncontrolled Search Path Element
Vendor / Product
electron-userland / electron-builder
Sources
cve.org  ·  NVD

Severity & Metrics

7.8 HIGH CVSS 3.1
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products (2)
VendorProductPlatformVersions
electron-userland app-builder-lib < 26.15.0
electron-userland electron-builder < 26.15.0
Weakness (CWE)
CWESourceDescription
CWE-427 cna CWE-427: Uncontrolled Search Path Element
CVSS scores (1)
ScoreSeverityVersionSourceVector
7.8 HIGH 3.1 cna CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References (2)
Back to overview