CVE-2026-42890
actual Allows Electron to Run As Node
描述
## Summary A electron run as node vulnerability was identified in `actual` (macOS application, version `25.x (Electron 39.2.7)`). **Vulnerability Type:** Electron Run As Node ## Description ELECTRON_RUN_AS_NODE fuse enabled (Electron 39.2.7) — app can be converted to Node.js REPL for arbitrary code execution ## Impact An attacker who can place a file on disk or control command-line arguments can invoke the signed Actual.app binary with ELECTRON_RUN_AS_NODE=1 to execute arbitrary Node.js code inheriting the apps entitlements and code signature. This bypasses macOS Gatekeeper review of the payload: the Node.js script runs as Actual, under Actuals bundle ID and signed identity, and has access to any entitlements the app carries (network, file access, keychain, automation). Combined with any downloader (browser, mail attachment, Slack link) this becomes a signed-binary-abuse primitive on every Mac with Actual installed.
如何修補 CVE-2026-42890
要修補 CVE-2026-42890,請將受影響套件升級到下列已修補版本。
- —升級至 26.5.0 或更新版本
CVE-2026-42890 正在被利用嗎?
目前沒有被利用訊號。CVE-2026-42890 既不在 CISA KEV 也沒有最新的 EPSS 分數。
受影響套件(1)
- from 0, < 26.5.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |