FKIE_CVE-2026-21853

Vulnerability from fkie_nvd - Published: 2026-03-02 19:16 - Updated: 2026-03-02 20:29
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
AFFiNE is an open-source, all-in-one workspace and an operating system. Prior to version 0.25.4, there is a one-click remote code execution vulnerability. This vulnerability can be exploited by embedding a specially crafted affine: URL on a website. An attacker can trigger the vulnerability in two common scenarios: 1/ A victim visits a malicious website controlled by the attacker and the website redirect to the URL automatically, or 2/ A victim clicks on a crafted link embedded on a legitimate website (e.g., in user-generated content). In both cases, the browser invokes AFFiNE custom URL handler, which launches the AFFiNE app and processes the crafted URL. This results in arbitrary code execution on the victim’s machine, without further interaction. This issue has been patched in version 0.25.4.
References
security-advisories@github.comhttps://github.com/toeverything/AFFiNE/commit/c9a4129a3e9376b688c18e1dcd6c87a775caac80
security-advisories@github.comhttps://github.com/toeverything/AFFiNE/pull/13864
security-advisories@github.comhttps://github.com/toeverything/AFFiNE/security/advisories/GHSA-67vm-2mcj-8965
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "AFFiNE is an open-source, all-in-one workspace and an operating system. Prior to version 0.25.4, there is a one-click remote code execution vulnerability. This vulnerability can be exploited by embedding a specially crafted affine: URL on a website. An attacker can trigger the vulnerability in two common scenarios: 1/ A victim visits a malicious website controlled by the attacker and the website redirect to the URL automatically, or 2/ A victim clicks on a crafted link embedded on a legitimate website (e.g., in user-generated content). In both cases, the browser invokes AFFiNE custom URL handler, which launches the AFFiNE app and processes the crafted URL. This results in arbitrary code execution on the victim\u2019s machine, without further interaction. This issue has been patched in version 0.25.4."
    },
    {
      "lang": "es",
      "value": "AFFiNE es un espacio de trabajo todo en uno de c\u00f3digo abierto y un sistema operativo. Antes de la versi\u00f3n 0.25.4, existe una vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo de un solo clic. Esta vulnerabilidad puede ser explotada incrustando una URL affine: especialmente dise\u00f1ada en un sitio web. Un atacante puede activar la vulnerabilidad en dos escenarios comunes: 1/ Una v\u00edctima visita un sitio web malicioso controlado por el atacante y el sitio web redirige autom\u00e1ticamente a la URL, o 2/ Una v\u00edctima hace clic en un enlace dise\u00f1ado incrustado en un sitio web leg\u00edtimo (p. ej., en contenido generado por el usuario). En ambos casos, el navegador invoca el gestor de URL personalizado de AFFiNE, lo que inicia la aplicaci\u00f3n AFFiNE y procesa la URL dise\u00f1ada. Esto resulta en ejecuci\u00f3n de c\u00f3digo arbitrario en la m\u00e1quina de la v\u00edctima, sin interacci\u00f3n adicional. Este problema ha sido parcheado en la versi\u00f3n 0.25.4."
    }
  ],
  "id": "CVE-2026-21853",
  "lastModified": "2026-03-02T20:29:29.330",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-02T19:16:32.560",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/toeverything/AFFiNE/commit/c9a4129a3e9376b688c18e1dcd6c87a775caac80"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/toeverything/AFFiNE/pull/13864"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/toeverything/AFFiNE/security/advisories/GHSA-67vm-2mcj-8965"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Undergoing Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-94"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.