Remote Code Execution Vulnerability in Cherry Studio by Cherry HQ
CVE-2026-40501

8.6HIGH

Key Information:

Vendor

Cherryhq

Vendor
CVE Published:
15 July 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2026-40501?

Cherry Studio is vulnerable to remote code execution due to a misconfiguration in the SearchService component. Versions 1.2.2 through 1.9.12 have been identified as affected, enabling attackers to exploit controlled search provider content delivered via malicious JavaScript. If the Electron BrowserWindow is configured with nodeIntegration enabled and contextIsolation disabled, attackers can execute arbitrary JavaScript with full privileges of the Node.js environment, thereby accessing sensitive system functionalities such as the file system and process internals under the operating-system account running Cherry Studio.

Affected Version(s)

cherry-studio 1.2.2 <= 1.9.12

cherry-studio 1.2.2 <= 1.9.12

cherry-studio f9c6bddae5b91cc50872c76e791105fa219d0d34 <= 151853035e8e417a51559ebfc243eda98361a882

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

References

CVSS V4

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Hanyin
.