Remote Code Execution Vulnerability in Cherry Studio by Cherry HQ
CVE-2026-40501
Key Information:
- Vendor
Cherryhq
- Status
- Vendor
- CVE Published:
- 15 July 2026
Badges
What is CVE-2026-40501?
Cherry Studio is vulnerable to remote code execution due to a misconfiguration in the SearchService component. Versions 1.2.2 through 1.9.12 have been identified as affected, enabling attackers to exploit controlled search provider content delivered via malicious JavaScript. If the Electron BrowserWindow is configured with nodeIntegration enabled and contextIsolation disabled, attackers can execute arbitrary JavaScript with full privileges of the Node.js environment, thereby accessing sensitive system functionalities such as the file system and process internals under the operating-system account running Cherry Studio.
Affected Version(s)
cherry-studio 1.2.2 <= 1.9.12
cherry-studio 1.2.2 <= 1.9.12
cherry-studio f9c6bddae5b91cc50872c76e791105fa219d0d34 <= 151853035e8e417a51559ebfc243eda98361a882
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved
