Lucene search
K

26 matches found

RedhatCVE
RedhatCVE
added 2026/07/01 2:8 p.m.8 views

CVE-2026-54673

A flaw was found in electron-updater, a component used for automatic updates in Electron applications. This vulnerability allows a remote attacker to obtain sensitive user credentials. When an Electron application performs an HTTP redirect, the electron-updater's redirect handler fails to strip...

8.2CVSS5.7AI score0.00235EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/07/01 1:29 p.m.9 views

CVE-2026-54672

A flaw was found in electron-updater, a component used for automatic updates in Electron applications. This vulnerability arises because AppImage targets, built by app-builder-lib, incorrectly add the current working directory to the dynamic linker search path when setting the LDLIBRARYPATH...

7.8CVSS5.9AI score0.00129EPSS
Exploits0References5
NVD
NVD
added 2026/06/30 11:17 p.m.6 views

CVE-2026-54673

electron-updater allows for automatic updates for Electron apps. Prior to 9.7.0, the HTTP redirect handler HttpExecutor.prepareRedirectUrlOptions only stripped a credential header whose key string matched exactly lowercase "authorization", exposing credentials. Other credential-bearing headers —...

8.2CVSS0.00235EPSS
Exploits0References2
NVD
NVD
added 2026/06/30 11:17 p.m.6 views

CVE-2026-54672

electron-updater allows for automatic updates for Electron apps. Prior to 26.15.0, AppImage targets built by app-builder-lib could use an empty path component when setting the LDLIBRARYPATH environment variable at runtime. This causes the current working directory to be added to the dynamic linke...

7.8CVSS0.00129EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/30 10:15 p.m.6 views

CVE-2026-54672

electron-updater allows for automatic updates for Electron apps. Prior to 26.15.0, AppImage targets built by app-builder-lib could use an empty path component when setting the LDLIBRARYPATH environment variable at runtime. This causes the current working directory to be added to the dynamic linke...

7.8CVSS6.1AI score0.00129EPSS
Exploits0References3Affected Software2
OSV
OSV
added 2026/06/30 10:15 p.m.4 views

CVE-2026-54672 electron-updater: Uncontrolled search path elements within `AppImage` built by `app-builder-lib`

electron-updater allows for automatic updates for Electron apps. Prior to 26.15.0, AppImage targets built by app-builder-lib could use an empty path component when setting the LDLIBRARYPATH environment variable at runtime. This causes the current working directory to be added to the dynamic linke...

7.8CVSS6.2AI score0.00129EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/06/30 10:11 p.m.5 views

CVE-2026-54673

electron-updater allows for automatic updates for Electron apps. Prior to 9.7.0, the HTTP redirect handler HttpExecutor.prepareRedirectUrlOptions only stripped a credential header whose key string matched exactly lowercase "authorization", exposing credentials. Other credential-bearing headers —...

8.2CVSS5.7AI score0.00235EPSS
Exploits0References3Affected Software2
Cvelist
Cvelist
added 2026/06/30 10:11 p.m.26 views

CVE-2026-54673 electron-updater: Cross-origin redirect leaks `PRIVATE-TOKEN` and mixed-case `Authorization` credentials in `builder-util-runtime`

electron-updater allows for automatic updates for Electron apps. Prior to 9.7.0, the HTTP redirect handler HttpExecutor.prepareRedirectUrlOptions only stripped a credential header whose key string matched exactly lowercase "authorization", exposing credentials. Other credential-bearing headers —...

8.2CVSS0.00235EPSS
Exploits0References2
OSV
OSV
added 2026/06/30 10:11 p.m.2 views

CVE-2026-54673 electron-updater: Cross-origin redirect leaks `PRIVATE-TOKEN` and mixed-case `Authorization` credentials in `builder-util-runtime`

electron-updater allows for automatic updates for Electron apps. Prior to 9.7.0, the HTTP redirect handler HttpExecutor.prepareRedirectUrlOptions only stripped a credential header whose key string matched exactly lowercase "authorization", exposing credentials. Other credential-bearing headers —...

8.2CVSS5.8AI score0.00235EPSS
Exploits0References4
CVE
CVE
added 2026/06/30 10:11 p.m.16 views

CVE-2026-54673

The CVE affects electron-updater (builder-util-runtime component) prior to version 9.7.0. The root cause is that HttpExecutor.prepareRedirectUrlOptions only stripped a credential header named exactly the lowercase string “authorization.” Other credential-bearing headers, notably PRIVATE-TOKEN and...

8.2CVSS5.7AI score0.00235EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.10 views

PT-2026-54019

Name of the Vulnerable Software and Affected Versions electron-updater versions prior to 9.7.0 Description The HTTP redirect handler HttpExecutor.prepareRedirectUrlOptions only removes credential headers that exactly match the lowercase string "authorization". Consequently, other credential-beari...

8.2CVSS5.9AI score0.00235EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.7 views

PT-2026-54018

Name of the Vulnerable Software and Affected Versions electron-updater versions prior to 26.15.0 Description AppImage targets built by app-builder-lib can use an empty path component when setting the LD LIBRARY PATH environment variable at runtime. This behavior causes the current working directo...

7.8CVSS6.1AI score0.00129EPSS
Exploits0References10
RedhatCVE
RedhatCVE
added 2026/01/09 8:33 a.m.14 views

CVE-2024-39698

electron-updater allows for automatic updates for Electron apps. The file packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts implements the signature validation routine for Electron applications on Windows. Because of the surrounding shell, a first pass by cmd.exe expands any...

7.5CVSS7.1AI score0.00336EPSS
Exploits1References1
EUVD
EUVD
added 2025/10/03 8:7 p.m.10 views

EUVD-2024-2310

Malicious code in bioql PyPI...

7.5CVSS6.4AI score0.00336EPSS
Exploits1References6
Veracode
Veracode
added 2024/07/10 9:10 a.m.15 views

Improper Verification Of Cryptographic Signature

electron-updater is vulnerable to Improper Verification of Cryptographic Signature. The vulnerability is caused due to improper handling and comparison of file paths, allowing an attacker to bypass signature verification by exploiting environment variable expansion and tricking the application in...

7.5CVSS6.7AI score0.00336EPSS
Exploits1References4Affected Software1
NVD
NVD
added 2024/07/09 6:15 p.m.27 views

CVE-2024-39698

electron-updater allows for automatic updates for Electron apps. The file packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts implements the signature validation routine for Electron applications on Windows. Because of the surrounding shell, a first pass by cmd.exe expands any...

7.5CVSS0.00336EPSS
Exploits1References4
Cvelist
Cvelist
added 2024/07/09 5:50 p.m.28 views

CVE-2024-39698 Code Signing Bypass on Windows in electron-updater < 6.3.0-alpha.6

electron-updater allows for automatic updates for Electron apps. The file packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts implements the signature validation routine for Electron applications on Windows. Because of the surrounding shell, a first pass by cmd.exe expands any...

7.5CVSS0.00336EPSS
Exploits1References4
OSV
OSV
added 2024/07/09 5:50 p.m.19 views

CVE-2024-39698 Code Signing Bypass on Windows in electron-updater < 6.3.0-alpha.6

electron-updater allows for automatic updates for Electron apps. The file packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts implements the signature validation routine for Electron applications on Windows. Because of the surrounding shell, a first pass by cmd.exe expands any...

7.5CVSS6AI score0.00336EPSS
Exploits1References6
Vulnrichment
Vulnrichment
added 2024/07/09 5:50 p.m.19 views

CVE-2024-39698 Code Signing Bypass on Windows in electron-updater < 6.3.0-alpha.6

electron-updater allows for automatic updates for Electron apps. The file packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts implements the signature validation routine for Electron applications on Windows. Because of the surrounding shell, a first pass by cmd.exe expands any...

7.5CVSS6.4AI score0.00336EPSS
Exploits1References4
CVE
CVE
added 2024/07/09 5:50 p.m.67 views

CVE-2024-39698

The CVE-2024-39698 entry concerns a Windows code-signing bypass in electron-updater. A flaw in the verification routine in packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts arises because the surrounding shell (cmd.exe) expands environment variables in the command line, enab...

7.5CVSS7.1AI score0.00336EPSS
Exploits1References4Affected Software1
Rows per page
Query Builder