CVE-2026-21853

{"id": "CVE-2026-21853", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2026-03-02T19:16:32.560", "references": [{"url": "https://github.com/toeverything/AFFiNE/commit/c9a4129a3e9376b688c18e1dcd6c87a775caac80", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/toeverything/AFFiNE/pull/13864", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/toeverything/AFFiNE/security/advisories/GHSA-67vm-2mcj-8965", "tags": ["Exploit", "Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "AFFiNE is an open-source, all-in-one workspace and an operating system. Prior to version 0.25.4, there is a one-click remote code execution vulnerability. This vulnerability can be exploited by embedding a specially crafted affine: URL on a website. An attacker can trigger the vulnerability in two common scenarios: 1/ A victim visits a malicious website controlled by the attacker and the website redirect to the URL automatically, or 2/ A victim clicks on a crafted link embedded on a legitimate website (e.g., in user-generated content). In both cases, the browser invokes AFFiNE custom URL handler, which launches the AFFiNE app and processes the crafted URL. This results in arbitrary code execution on the victim\u2019s machine, without further interaction. This issue has been patched in version 0.25.4."}, {"lang": "es", "value": "AFFiNE es un espacio de trabajo todo en uno de c\u00f3digo abierto y un sistema operativo. Antes de la versi\u00f3n 0.25.4, existe una vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo de un solo clic. Esta vulnerabilidad puede ser explotada incrustando una URL affine: especialmente dise\u00f1ada en un sitio web. Un atacante puede activar la vulnerabilidad en dos escenarios comunes: 1/ Una v\u00edctima visita un sitio web malicioso controlado por el atacante y el sitio web redirige autom\u00e1ticamente a la URL, o 2/ Una v\u00edctima hace clic en un enlace dise\u00f1ado incrustado en un sitio web leg\u00edtimo (p. ej., en contenido generado por el usuario). En ambos casos, el navegador invoca el gestor de URL personalizado de AFFiNE, lo que inicia la aplicaci\u00f3n AFFiNE y procesa la URL dise\u00f1ada. Esto resulta en ejecuci\u00f3n de c\u00f3digo arbitrario en la m\u00e1quina de la v\u00edctima, sin interacci\u00f3n adicional. Este problema ha sido parcheado en la versi\u00f3n 0.25.4."}], "lastModified": "2026-04-20T14:53:37.203", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:affine:affine:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CCC113D1-6B87-4514-B83A-CB34A9108CD7", "versionEndExcluding": "0.25.4"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}