Cross-Platform Desktop Application Packager Vulnerability in Pulpy
CVE-2026-44225

9.3CRITICAL

Key Information:

Vendor: Enesgkky
Status: Pulpy
Vendor: CVE Published:; 12 May 2026

What is CVE-2026-44225?

The Pulpy application packager has a significant vulnerability in its handling of file system access through the pulpy.fs JavaScript API. Under versions prior to 0.1.1, Pulpy allows packaged web applications to perform read and write operations on arbitrary files within the user's home directory, including sensitive files such as SSH keys and AWS credentials. This issue arises from an incomplete blocklist in the validateFsPath() function, which is intended to sandbox filesystem access. Users of Pulpy should upgrade to version 0.1.1 promptly to mitigate potential security risks related to unauthorized data exposure.

Affected Version(s)

Pulpy < 0.1.1

References

https://github.com/enesgkky/Pulpy/security/advisories/GHS...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
May 5, 2026

CVE-2026-44225 Data

JSON

Enesgkky

What is CVE-2026-44225?

Affected Version(s)

References

CVSS V3.1

Timeline