CVE-2026-54672 PUBLISHED

electron-updater: Uncontrolled search path elements within `AppImage` built by `app-builder-lib`

Assigner: GitHub_M
Reserved: 15.06.2026 Published: 30.06.2026 Updated: 01.07.2026

electron-updater allows for automatic updates for Electron apps. Prior to 26.15.0, AppImage targets built by app-builder-lib could use an empty path component when setting the LD_LIBRARY_PATH environment variable at runtime. This causes the current working directory to be added to the dynamic linker search path, which may allow an attacker to execute arbitrary code by placing a malicious shared library in the directory from which the AppImage is launched. This issue has been fixed in version 26.15.0.

Metrics

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 7.8

Product Status

Vendor electron-userland
Product electron-builder
Versions
  • Version < 26.15.0 is affected
Vendor electron-userland
Product app-builder-lib
Versions
  • Version < 26.15.0 is affected

References

Problem Types

  • CWE-427: Uncontrolled Search Path Element CWE