Description
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8, on macOS, app.moveToApplicationsFolder() used an AppleScript fallback path that did not properly handle certain characters in the application bundle path. Under specific conditions, a crafted launch path could lead to arbitrary AppleScript execution when the user accepted the move-to-Applications prompt. Apps are only affected if they call app.moveToApplicationsFolder(). Apps that do not use this API are not affected. This issue has been patched in versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8.
Published: 2026-04-04
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Code Execution
Action: Patch Electron
AI Analysis

Impact

Electron applications that use app.moveToApplicationsFolder() can be impacted on macOS because the fallback AppleScript path does not escape certain characters in the application bundle path. As a result, a crafted launch path can cause the execution of arbitrary AppleScript when the user accepts the move-to‑Applications prompt. The impact is that the injected AppleScript runs with the privileges of the user, potentially allowing the attacker to perform actions on the system. The fact that the script runs with user privileges is inferred from the description that it is “arbitrary AppleScript execution” triggered by user interaction.

Affected Systems

All macOS desktop applications built with Electron that invoke the app.moveToApplicationsFolder() API and are running any of the following pre‑patched versions: Electron 38.8.5 or earlier, 39.8.0 or earlier, 40.7.9 or earlier, and 41.0.0‑beta.7 or earlier. Applications that do not call this API or that are built with a later, patched release are not affected.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.5, indicating moderate severity. The EPSS score is below 1%, which suggests that the probability of exploitation in the wild is low. The vulnerability is not listed in the CISA KEV catalog. Because exploitation requires an attacker to craft a launch path and the user to explicitly accept the move-to‑Applications prompt, the attack vector is local and requires user interaction. The overall risk is moderate; therefore, remediation should be prioritized but does not constitute an immediate emergency.

Generated by OpenCVE AI on April 14, 2026 at 21:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Electron to a patched version (38.8.6, 39.8.1, 40.8.0, or 41.0.0‑beta.8 or newer).
  • If an update is not possible, remove or disable calls to app.moveToApplicationsFolder() from the application code to eliminate the vulnerable code path.
  • Validate and sanitize any application bundle path before invoking the move operation in order to prevent special‑character injection.

Generated by OpenCVE AI on April 14, 2026 at 21:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5rqw-r77c-jp79 Electron: AppleScript injection in app.moveToApplicationsFolder on macOS
History

Tue, 14 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Electronjs
Electronjs electron
CPEs cpe:2.3:a:electronjs:electron:*:*:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha6:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta1:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta2:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta3:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta4:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta5:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta6:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta7:*:*:*:node.js:*:*
Vendors & Products Electronjs
Electronjs electron

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Electron
Electron electron
Vendors & Products Electron
Electron electron

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 04 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8, on macOS, app.moveToApplicationsFolder() used an AppleScript fallback path that did not properly handle certain characters in the application bundle path. Under specific conditions, a crafted launch path could lead to arbitrary AppleScript execution when the user accepted the move-to-Applications prompt. Apps are only affected if they call app.moveToApplicationsFolder(). Apps that do not use this API are not affected. This issue has been patched in versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8.
Title Electron: AppleScript injection in app.moveToApplicationsFolder on macOS
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L'}

Subscriptions

Electron Electron
Electronjs Electron
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T03:55:40.913Z

Reserved: 2026-03-30T19:54:55.555Z

Link: CVE-2026-34779

cve-icon Vulnrichment

Updated: 2026-04-06T15:49:53.546Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-04T00:16:19.213

Modified: 2026-04-14T18:55:03.110

Link: CVE-2026-34779

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:30:09Z

Weaknesses