CVE-2026-34779: Electron: AppleScript injection in app.moveToApplicationsFolder on macOS

April 3, 2026 (updated April 6, 2026)

On macOS, app.moveToApplicationsFolder() used an AppleScript fallback path that did not properly handle certain characters in the application bundle path. Under specific conditions, a crafted launch path could lead to arbitrary AppleScript execution when the user accepted the move-to-Applications prompt.

Apps are only affected if they call app.moveToApplicationsFolder(). Apps that do not use this API are not affected.

References

github.com/advisories/GHSA-5rqw-r77c-jp79
github.com/electron/electron
github.com/electron/electron/security/advisories/GHSA-5rqw-r77c-jp79
nvd.nist.gov/vuln/detail/CVE-2026-34779

Code Behaviors & Features

Detect and mitigate CVE-2026-34779 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →