Description
AFFiNE is an open-source, all-in-one workspace and an operating system. Prior to version 0.25.4, there is a one-click remote code execution vulnerability. This vulnerability can be exploited by embedding a specially crafted affine: URL on a website. An attacker can trigger the vulnerability in two common scenarios: 1/ A victim visits a malicious website controlled by the attacker and the website redirect to the URL automatically, or 2/ A victim clicks on a crafted link embedded on a legitimate website (e.g., in user-generated content). In both cases, the browser invokes AFFiNE custom URL handler, which launches the AFFiNE app and processes the crafted URL. This results in arbitrary code execution on the victim’s machine, without further interaction. This issue has been patched in version 0.25.4.
Published: 2026-03-02
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

A one‑click vulnerability in AFFiNE allows an attacker to craft a malicious affine: URL that, when opened by a victim’s browser, triggers the AFFiNE custom URL handler to execute arbitrary code on the victim’s machine without any further action. The flaw originates from improper validation of the URL payload and is classified as a command injection type weakness. Successful exploitation compromises confidentiality, integrity, and availability by giving the attacker full control over the affected system.

Affected Systems

The vulnerability affects the AFFiNE workspace application provided by toeverything. Any installation of AFFiNE earlier than version 0.25.4 is susceptible; the patch is included in version 0.25.4 and later. No additional affected versions are listed.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity. The EPSS score of < 1% indicates a low exploitation probability, and the vulnerability is not listed in the KEV catalog. Despite the low likelihood, the high impact suggests organizations should address the flaw promptly but can accept a short grace period if patching cannot occur immediately.

Generated by OpenCVE AI on April 17, 2026 at 13:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update AFFiNE to version 0.25.4 or later, which includes the fix for the custom URL handling flaw.
  • If an upgrade cannot be performed immediately, block or sanitize affine: URLs by removing the custom URL handler from the operating system or changing browser settings to prevent automatic launch of AFFiNE via that scheme.
  • Monitor web content for suspicious affine: URLs or redirects and consider disabling unsolicited URL handlers in browsers to reduce exposure.

Generated by OpenCVE AI on April 17, 2026 at 13:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Affine
Affine affine
CPEs cpe:2.3:a:affine:affine:*:*:*:*:*:*:*:*
Vendors & Products Affine
Affine affine

Wed, 04 Mar 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Toeverything
Toeverything affine
Vendors & Products Toeverything
Toeverything affine

Mon, 02 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Description AFFiNE is an open-source, all-in-one workspace and an operating system. Prior to version 0.25.4, there is a one-click remote code execution vulnerability. This vulnerability can be exploited by embedding a specially crafted affine: URL on a website. An attacker can trigger the vulnerability in two common scenarios: 1/ A victim visits a malicious website controlled by the attacker and the website redirect to the URL automatically, or 2/ A victim clicks on a crafted link embedded on a legitimate website (e.g., in user-generated content). In both cases, the browser invokes AFFiNE custom URL handler, which launches the AFFiNE app and processes the crafted URL. This results in arbitrary code execution on the victim’s machine, without further interaction. This issue has been patched in version 0.25.4.
Title AFFiNE: One-click Remote Code Execution through Custom URL Handling
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Affine Affine
Toeverything Affine
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-02T19:19:18.087Z

Reserved: 2026-01-05T16:44:16.366Z

Link: CVE-2026-21853

cve-icon Vulnrichment

Updated: 2026-03-02T19:19:02.997Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-02T19:16:32.560

Modified: 2026-04-20T14:53:37.203

Link: CVE-2026-21853

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:30:19Z

Weaknesses