Typora 1.7.4 OS Command Injection via Export PDF Preferences

Advisories

severity: high
date: December 12, 2025
Affecting: Typora 1.7.4
CVE: CVE-2024-14010
CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSS: 8.5
CVSS V4 Vector: CVSS:4.0/AV:L:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: ExploitDB-51752
Typora Vendor Homepage
Credit: Ahmet Ümit BAYRAM
Description: Typora 1.7.4 contains a command injection vulnerability in the PDF export preferences that allows attackers to execute arbitrary system commands. Attackers can inject malicious commands into the 'run command' input field during PDF export to achieve remote code execution.