CVE-2026-40501: Inclusion of Functionality from Untrusted Control Sphere in CherryHQ cherry-studio
Cherry Studio versions 1.2.2 through 1.9.12, fixed in commit 1518530, contain a remote code execution vulnerability in SearchService that allows remote attackers to execute arbitrary code by delivering malicious JavaScript through controlled search provider content loaded into an Electron BrowserWindow configured with nodeIntegration enabled and contextIsolation disabled. Attackers who control a search engine provider, individual search result pages, or provider settings pages can execute JavaScript with full Node.js privileges, gaining access to fs, child_process, os, and process.env under the operating-system account of the Cherry Studio process.
AI Analysis
Technical Summary
Cherry Studio versions 1.2.2 through 1.9.12 are affected by a remote code execution vulnerability in the SearchService. The issue arises because the application loads search provider content into an Electron BrowserWindow configured with nodeIntegration enabled and contextIsolation disabled, allowing malicious JavaScript delivered via a compromised or attacker-controlled search provider to execute with full Node.js privileges. This enables attackers to access sensitive Node.js modules such as fs, child_process, os, and process.env, potentially compromising the host system under the user account running Cherry Studio. The vulnerability is fixed in commit 1518530, but no official patch or advisory details are currently provided.
Potential Impact
Successful exploitation allows remote attackers to execute arbitrary code with full Node.js privileges on the affected system under the operating system account running Cherry Studio. This can lead to full system compromise, including file system access, process execution, and environment variable disclosure. The vulnerability does not require privileges or user interaction beyond visiting or loading malicious search provider content. The CVSS 4.0 score of 8.6 reflects high impact and exploitability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should avoid using untrusted or unknown search providers within Cherry Studio and consider disabling nodeIntegration or enabling contextIsolation in the Electron BrowserWindow configuration if possible. Monitor vendor channels for updates and apply the fix once available (noted as commit 1518530).
CVE-2026-40501: Inclusion of Functionality from Untrusted Control Sphere in CherryHQ cherry-studio
Description
Cherry Studio versions 1.2.2 through 1.9.12, fixed in commit 1518530, contain a remote code execution vulnerability in SearchService that allows remote attackers to execute arbitrary code by delivering malicious JavaScript through controlled search provider content loaded into an Electron BrowserWindow configured with nodeIntegration enabled and contextIsolation disabled. Attackers who control a search engine provider, individual search result pages, or provider settings pages can execute JavaScript with full Node.js privileges, gaining access to fs, child_process, os, and process.env under the operating-system account of the Cherry Studio process.
CVSS v4.0
Score 8.6high
Affected software
pkg:github/cherry-studioRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Cherry Studio versions 1.2.2 through 1.9.12 are affected by a remote code execution vulnerability in the SearchService. The issue arises because the application loads search provider content into an Electron BrowserWindow configured with nodeIntegration enabled and contextIsolation disabled, allowing malicious JavaScript delivered via a compromised or attacker-controlled search provider to execute with full Node.js privileges. This enables attackers to access sensitive Node.js modules such as fs, child_process, os, and process.env, potentially compromising the host system under the user account running Cherry Studio. The vulnerability is fixed in commit 1518530, but no official patch or advisory details are currently provided.
Potential Impact
Successful exploitation allows remote attackers to execute arbitrary code with full Node.js privileges on the affected system under the operating system account running Cherry Studio. This can lead to full system compromise, including file system access, process execution, and environment variable disclosure. The vulnerability does not require privileges or user interaction beyond visiting or loading malicious search provider content. The CVSS 4.0 score of 8.6 reflects high impact and exploitability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should avoid using untrusted or unknown search providers within Cherry Studio and consider disabling nodeIntegration or enabling contextIsolation in the Electron BrowserWindow configuration if possible. Monitor vendor channels for updates and apply the fix once available (noted as commit 1518530).
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-04-13T20:29:02.808Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a57cb6968715ace432ccb3d
Added to database: 07/15/2026, 18:03:21 UTC
Last enriched: 07/15/2026, 18:17:39 UTC
Last updated: 07/15/2026, 19:31:06 UTC
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.