Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
12 vulnerabilities by CherryHQ
CVE-2026-13534 (GCVE-0-2026-13534)
Vulnerability from nvd – Published: 2026-06-29 04:15 – Updated: 2026-06-29 13:37
VLAI
Title
CherryHQ cherry-studio CherryIN Preload API MemoryService.ts sha256 authorization
Summary
A vulnerability was detected in CherryHQ cherry-studio up to 1.9.7. This affects the function sha256 of the file src/main/services/memory/MemoryService.ts of the component CherryIN Preload API. Performing a manipulation of the argument state results in authorization bypass. The attack can be initiated remotely. The attack's complexity is rated as high. It is indicated that the exploitability is difficult. The exploit is now public and may be used. The vendor explains, that "[m]emory is planned to be removed in v2 version."
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/374542 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/374542/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-13534 | third-party-advisory |
| https://vuldb.com/submit/841998 | third-party-advisory |
| https://github.com/CherryHQ/cherry-studio/issues/15411 | exploitissue-tracking |
| https://github.com/CherryHQ/cherry-studio/pull/15413 | issue-trackingpatch |
| https://github.com/CherryHQ/cherry-studio/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| CherryHQ | cherry-studio |
Affected:
1.9.0
Affected: 1.9.1 Affected: 1.9.2 Affected: 1.9.3 Affected: 1.9.4 Affected: 1.9.5 Affected: 1.9.6 Affected: 1.9.7 cpe:2.3:a:cherryhq:cherry-studio:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13534",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T13:37:19.539055Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T13:37:35.608Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:cherryhq:cherry-studio:*:*:*:*:*:*:*:*"
],
"modules": [
"CherryIN Preload API"
],
"product": "cherry-studio",
"vendor": "CherryHQ",
"versions": [
{
"status": "affected",
"version": "1.9.0"
},
{
"status": "affected",
"version": "1.9.1"
},
{
"status": "affected",
"version": "1.9.2"
},
{
"status": "affected",
"version": "1.9.3"
},
{
"status": "affected",
"version": "1.9.4"
},
{
"status": "affected",
"version": "1.9.5"
},
{
"status": "affected",
"version": "1.9.6"
},
{
"status": "affected",
"version": "1.9.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "dem0000 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was detected in CherryHQ cherry-studio up to 1.9.7. This affects the function sha256 of the file src/main/services/memory/MemoryService.ts of the component CherryIN Preload API. Performing a manipulation of the argument state results in authorization bypass. The attack can be initiated remotely. The attack\u0027s complexity is rated as high. It is indicated that the exploitability is difficult. The exploit is now public and may be used. The vendor explains, that \"[m]emory is planned to be removed in v2 version.\""
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 2.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4.6,
"vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "Authorization Bypass",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T04:15:09.623Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-374542 | CherryHQ cherry-studio CherryIN Preload API MemoryService.ts sha256 authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/374542"
},
{
"name": "VDB-374542 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/374542/cti"
},
{
"name": "CVE-2026-13534 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-13534"
},
{
"name": "Submit #841998 | CherryHQ cherry-studio 1.9.6 Authorization Bypass / Flow-Key Confusion",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/841998"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/CherryHQ/cherry-studio/issues/15411"
},
{
"tags": [
"issue-tracking",
"patch"
],
"url": "https://github.com/CherryHQ/cherry-studio/pull/15413"
},
{
"tags": [
"product"
],
"url": "https://github.com/CherryHQ/cherry-studio/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-28T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-28T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-28T11:31:15.000Z",
"value": "VulDB entry last update"
}
],
"title": "CherryHQ cherry-studio CherryIN Preload API MemoryService.ts sha256 authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-13534",
"datePublished": "2026-06-29T04:15:09.623Z",
"dateReserved": "2026-06-28T09:26:12.051Z",
"dateUpdated": "2026-06-29T13:37:35.608Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13524 (GCVE-0-2026-13524)
Vulnerability from nvd – Published: 2026-06-29 01:45 – Updated: 2026-06-30 17:25
VLAI
Title
CherryHQ cherry-studio MCP OAuth Local Callback Server callback.ts improper authorization
Summary
A security vulnerability has been detected in CherryHQ cherry-studio up to 1.9.6. This vulnerability affects unknown code of the file src/main/services/mcp/oauth/callback.ts of the component MCP OAuth Local Callback Server. The manipulation of the argument code leads to improper authorization. The attack can be initiated remotely. The attack is considered to have high complexity. It is stated that the exploitability is difficult. The exploit has been disclosed publicly and may be used. The pull request to fix this issue awaits acceptance.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/374532 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/374532/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-13524 | third-party-advisory |
| https://vuldb.com/submit/840175 | third-party-advisory |
| https://github.com/CherryHQ/cherry-studio/issues/15372 | exploitissue-tracking |
| https://github.com/CherryHQ/cherry-studio/pull/15388 | issue-trackingpatch |
| https://github.com/CherryHQ/cherry-studio/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| CherryHQ | cherry-studio |
Affected:
1.9.0
Affected: 1.9.1 Affected: 1.9.2 Affected: 1.9.3 Affected: 1.9.4 Affected: 1.9.5 Affected: 1.9.6 cpe:2.3:a:cherryhq:cherry-studio:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13524",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-30T17:25:37.210636Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T17:25:56.340Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://vuldb.com/submit/840175"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:cherryhq:cherry-studio:*:*:*:*:*:*:*:*"
],
"modules": [
"MCP OAuth Local Callback Server"
],
"product": "cherry-studio",
"vendor": "CherryHQ",
"versions": [
{
"status": "affected",
"version": "1.9.0"
},
{
"status": "affected",
"version": "1.9.1"
},
{
"status": "affected",
"version": "1.9.2"
},
{
"status": "affected",
"version": "1.9.3"
},
{
"status": "affected",
"version": "1.9.4"
},
{
"status": "affected",
"version": "1.9.5"
},
{
"status": "affected",
"version": "1.9.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "dem0000 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security vulnerability has been detected in CherryHQ cherry-studio up to 1.9.6. This vulnerability affects unknown code of the file src/main/services/mcp/oauth/callback.ts of the component MCP OAuth Local Callback Server. The manipulation of the argument code leads to improper authorization. The attack can be initiated remotely. The attack is considered to have high complexity. It is stated that the exploitability is difficult. The exploit has been disclosed publicly and may be used. The pull request to fix this issue awaits acceptance."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.1,
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T01:45:08.988Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-374532 | CherryHQ cherry-studio MCP OAuth Local Callback Server callback.ts improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/374532"
},
{
"name": "VDB-374532 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/374532/cti"
},
{
"name": "CVE-2026-13524 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-13524"
},
{
"name": "Submit #840175 | CherryHQ cherry-studio 1.9.6 Authorization Bypass / Login CSRF",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/840175"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/CherryHQ/cherry-studio/issues/15372"
},
{
"tags": [
"issue-tracking",
"patch"
],
"url": "https://github.com/CherryHQ/cherry-studio/pull/15388"
},
{
"tags": [
"product"
],
"url": "https://github.com/CherryHQ/cherry-studio/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-28T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-28T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-28T09:55:25.000Z",
"value": "VulDB entry last update"
}
],
"title": "CherryHQ cherry-studio MCP OAuth Local Callback Server callback.ts improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-13524",
"datePublished": "2026-06-29T01:45:08.988Z",
"dateReserved": "2026-06-28T07:50:21.081Z",
"dateUpdated": "2026-06-30T17:25:56.340Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-61929 (GCVE-0-2025-61929)
Vulnerability from nvd – Published: 2025-10-10 19:50 – Updated: 2025-10-10 20:46
VLAI
Title
Cherry Studio allows one-click on a specific URL to cause a command to execute
Summary
Cherry Studio is a desktop client that supports for multiple LLM providers. Cherry Studio registers a custom protocol called `cherrystudio://`. When handling the MCP installation URL, it parses the base64-encoded configuration data and directly executes the command within it. In the files `src/main/services/ProtocolClient.ts` and `src/main/services/urlschema/mcp-install.ts`, when receiving a URL of the `cherrystudio://mcp` type, the `handleMcpProtocolUrl` function is called for processing. If an attacker crafts malicious content and posts it on a website or elsewhere (there are many exploitation methods, such as creating a malicious website with a button containing this malicious content), when the user clicks it, since the pop-up window contains normal content, the direct click is considered a scene action, and the malicious command is directly triggered, leading to the user being compromised. As of time of publication, no known patched versions exist.
Severity
9.7 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/CherryHQ/cherry-studio/securit… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| CherryHQ | cherry-studio |
Affected:
<= 1.7.0-alpha.4
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-61929",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-10T20:45:19.405302Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-10T20:46:08.118Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cherry-studio",
"vendor": "CherryHQ",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.7.0-alpha.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cherry Studio is a desktop client that supports for multiple LLM providers. Cherry Studio registers a custom protocol called `cherrystudio://`. When handling the MCP installation URL, it parses the base64-encoded configuration data and directly executes the command within it. In the files `src/main/services/ProtocolClient.ts` and `src/main/services/urlschema/mcp-install.ts`, when receiving a URL of the `cherrystudio://mcp` type, the `handleMcpProtocolUrl` function is called for processing. If an attacker crafts malicious content and posts it on a website or elsewhere (there are many exploitation methods, such as creating a malicious website with a button containing this malicious content), when the user clicks it, since the pop-up window contains normal content, the direct click is considered a scene action, and the malicious command is directly triggered, leading to the user being compromised. As of time of publication, no known patched versions exist."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.7,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-10T19:50:14.036Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/CherryHQ/cherry-studio/security/advisories/GHSA-hh6w-rmjc-26f6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/CherryHQ/cherry-studio/security/advisories/GHSA-hh6w-rmjc-26f6"
}
],
"source": {
"advisory": "GHSA-hh6w-rmjc-26f6",
"discovery": "UNKNOWN"
},
"title": "Cherry Studio allows one-click on a specific URL to cause a command to execute"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-61929",
"datePublished": "2025-10-10T19:50:14.036Z",
"dateReserved": "2025-10-03T22:21:59.617Z",
"dateUpdated": "2025-10-10T20:46:08.118Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54382 (GCVE-0-2025-54382)
Vulnerability from nvd – Published: 2025-08-13 13:31 – Updated: 2025-08-13 14:10
VLAI
Title
Cherry Studio RCE Vulnerability Disclosure
Summary
Cherry Studio is a desktop client that supports for multiple LLM providers. In version 1.5.1, a remote code execution (RCE) vulnerability exists in the Cherry Studio platform when connecting to streamableHttp MCP servers. The issue arises from the server’s implicit trust in the oauth auth redirection endpoints and failure to properly sanitize the URL. This issue has been patched in version 1.5.2.
Severity
9.7 (Critical)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/CherryHQ/cherry-studio/securit… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| CherryHQ | cherry-studio |
Affected:
= 1.5.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54382",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-13T14:08:20.033580Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-13T14:10:43.740Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cherry-studio",
"vendor": "CherryHQ",
"versions": [
{
"status": "affected",
"version": "= 1.5.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cherry Studio is a desktop client that supports for multiple LLM providers. In version 1.5.1, a remote code execution (RCE) vulnerability exists in the Cherry Studio platform when connecting to streamableHttp MCP servers. The issue arises from the server\u2019s implicit trust in the oauth auth redirection endpoints and failure to properly sanitize the URL. This issue has been patched in version 1.5.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.7,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-13T13:31:13.532Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/CherryHQ/cherry-studio/security/advisories/GHSA-gjp6-9cvg-8w93",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/CherryHQ/cherry-studio/security/advisories/GHSA-gjp6-9cvg-8w93"
}
],
"source": {
"advisory": "GHSA-gjp6-9cvg-8w93",
"discovery": "UNKNOWN"
},
"title": "Cherry Studio RCE Vulnerability Disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54382",
"datePublished": "2025-08-13T13:31:13.532Z",
"dateReserved": "2025-07-21T16:12:20.734Z",
"dateUpdated": "2025-08-13T14:10:43.740Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54074 (GCVE-0-2025-54074)
Vulnerability from nvd – Published: 2025-08-13 13:27 – Updated: 2025-08-13 14:15
VLAI
Title
Cherry Studio is Vulnerable to OS Command Injection during Connection with a Malicious MCP Server
Summary
Cherry Studio is a desktop client that supports for multiple LLM providers. From versions 1.2.5 to 1.5.1, Cherry Studio is vulnerable to OS Command Injection during a connection with a malicious MCP server in HTTP Streamable mode. Attackers can setup a malicious MCP server with compatible OAuth authorization server endpoints and trick victims into connecting it, leading to OS command injection in vulnerable clients. This issue has been patched in version 1.5.2.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/CherryHQ/cherry-studio/securit… | x_refsource_CONFIRM |
| https://github.com/CherryHQ/cherry-studio/commit/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| CherryHQ | cherry-studio |
Affected:
>= 1.2.5, < 1.5.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54074",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-13T14:15:04.480739Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-13T14:15:16.261Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cherry-studio",
"vendor": "CherryHQ",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.2.5, \u003c 1.5.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cherry Studio is a desktop client that supports for multiple LLM providers. From versions 1.2.5 to 1.5.1, Cherry Studio is vulnerable to OS Command Injection during a connection with a malicious MCP server in HTTP Streamable mode. Attackers can setup a malicious MCP server with compatible OAuth authorization server endpoints and trick victims into connecting it, leading to OS command injection in vulnerable clients. This issue has been patched in version 1.5.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-13T13:27:28.232Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/CherryHQ/cherry-studio/security/advisories/GHSA-8xr5-732g-84px",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/CherryHQ/cherry-studio/security/advisories/GHSA-8xr5-732g-84px"
},
{
"name": "https://github.com/CherryHQ/cherry-studio/commit/40f9601379150854826ff3572ef7372fb0acdc38",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/CherryHQ/cherry-studio/commit/40f9601379150854826ff3572ef7372fb0acdc38"
}
],
"source": {
"advisory": "GHSA-8xr5-732g-84px",
"discovery": "UNKNOWN"
},
"title": "Cherry Studio is Vulnerable to OS Command Injection during Connection with a Malicious MCP Server"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54074",
"datePublished": "2025-08-13T13:27:28.232Z",
"dateReserved": "2025-07-16T13:22:18.205Z",
"dateUpdated": "2025-08-13T14:15:16.261Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54063 (GCVE-0-2025-54063)
Vulnerability from nvd – Published: 2025-08-11 17:59 – Updated: 2025-08-11 18:15
VLAI
Title
Cherry Studio One-click Remote Code Execution Vulnerability through Custom URL Handling
Summary
Cherry Studio is a desktop client that supports for multiple LLM providers. From versions 1.4.8 to 1.5.0, there is a one-click remote code execution vulnerability through the custom URL handling. An attacker can exploit this by hosting a malicious website or embedding a specially crafted URL on any website. If a victim clicks the exploit link in their browser, the app’s custom URL handler is triggered, leading to remote code execution on the victim’s machine. This issue has been patched in version 1.5.1.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/CherryHQ/cherry-studio/securit… | x_refsource_CONFIRM |
| https://github.com/CherryHQ/cherry-studio/pull/8218 | x_refsource_MISC |
| https://github.com/CherryHQ/cherry-studio/commit/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| CherryHQ | cherry-studio |
Affected:
>= 1.4.8, < 1.5.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54063",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-11T18:15:31.571603Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-11T18:15:43.581Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cherry-studio",
"vendor": "CherryHQ",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.4.8, \u003c 1.5.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cherry Studio is a desktop client that supports for multiple LLM providers. From versions 1.4.8 to 1.5.0, there is a one-click remote code execution vulnerability through the custom URL handling. An attacker can exploit this by hosting a malicious website or embedding a specially crafted URL on any website. If a victim clicks the exploit link in their browser, the app\u2019s custom URL handler is triggered, leading to remote code execution on the victim\u2019s machine. This issue has been patched in version 1.5.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-11T17:59:40.626Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/CherryHQ/cherry-studio/security/advisories/GHSA-p6vw-w3p8-4g72",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/CherryHQ/cherry-studio/security/advisories/GHSA-p6vw-w3p8-4g72"
},
{
"name": "https://github.com/CherryHQ/cherry-studio/pull/8218",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/CherryHQ/cherry-studio/pull/8218"
},
{
"name": "https://github.com/CherryHQ/cherry-studio/commit/ff72c007c03ff47de21a4d0bf52a1ff1fb35cd89",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/CherryHQ/cherry-studio/commit/ff72c007c03ff47de21a4d0bf52a1ff1fb35cd89"
}
],
"source": {
"advisory": "GHSA-p6vw-w3p8-4g72",
"discovery": "UNKNOWN"
},
"title": "Cherry Studio One-click Remote Code Execution Vulnerability through Custom URL Handling"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54063",
"datePublished": "2025-08-11T17:59:40.626Z",
"dateReserved": "2025-07-16T13:22:18.204Z",
"dateUpdated": "2025-08-11T18:15:43.581Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-13534 (GCVE-0-2026-13534)
Vulnerability from cvelistv5 – Published: 2026-06-29 04:15 – Updated: 2026-06-29 13:37
VLAI
Title
CherryHQ cherry-studio CherryIN Preload API MemoryService.ts sha256 authorization
Summary
A vulnerability was detected in CherryHQ cherry-studio up to 1.9.7. This affects the function sha256 of the file src/main/services/memory/MemoryService.ts of the component CherryIN Preload API. Performing a manipulation of the argument state results in authorization bypass. The attack can be initiated remotely. The attack's complexity is rated as high. It is indicated that the exploitability is difficult. The exploit is now public and may be used. The vendor explains, that "[m]emory is planned to be removed in v2 version."
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/374542 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/374542/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-13534 | third-party-advisory |
| https://vuldb.com/submit/841998 | third-party-advisory |
| https://github.com/CherryHQ/cherry-studio/issues/15411 | exploitissue-tracking |
| https://github.com/CherryHQ/cherry-studio/pull/15413 | issue-trackingpatch |
| https://github.com/CherryHQ/cherry-studio/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| CherryHQ | cherry-studio |
Affected:
1.9.0
Affected: 1.9.1 Affected: 1.9.2 Affected: 1.9.3 Affected: 1.9.4 Affected: 1.9.5 Affected: 1.9.6 Affected: 1.9.7 cpe:2.3:a:cherryhq:cherry-studio:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13534",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T13:37:19.539055Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T13:37:35.608Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:cherryhq:cherry-studio:*:*:*:*:*:*:*:*"
],
"modules": [
"CherryIN Preload API"
],
"product": "cherry-studio",
"vendor": "CherryHQ",
"versions": [
{
"status": "affected",
"version": "1.9.0"
},
{
"status": "affected",
"version": "1.9.1"
},
{
"status": "affected",
"version": "1.9.2"
},
{
"status": "affected",
"version": "1.9.3"
},
{
"status": "affected",
"version": "1.9.4"
},
{
"status": "affected",
"version": "1.9.5"
},
{
"status": "affected",
"version": "1.9.6"
},
{
"status": "affected",
"version": "1.9.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "dem0000 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was detected in CherryHQ cherry-studio up to 1.9.7. This affects the function sha256 of the file src/main/services/memory/MemoryService.ts of the component CherryIN Preload API. Performing a manipulation of the argument state results in authorization bypass. The attack can be initiated remotely. The attack\u0027s complexity is rated as high. It is indicated that the exploitability is difficult. The exploit is now public and may be used. The vendor explains, that \"[m]emory is planned to be removed in v2 version.\""
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 2.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4.6,
"vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "Authorization Bypass",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T04:15:09.623Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-374542 | CherryHQ cherry-studio CherryIN Preload API MemoryService.ts sha256 authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/374542"
},
{
"name": "VDB-374542 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/374542/cti"
},
{
"name": "CVE-2026-13534 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-13534"
},
{
"name": "Submit #841998 | CherryHQ cherry-studio 1.9.6 Authorization Bypass / Flow-Key Confusion",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/841998"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/CherryHQ/cherry-studio/issues/15411"
},
{
"tags": [
"issue-tracking",
"patch"
],
"url": "https://github.com/CherryHQ/cherry-studio/pull/15413"
},
{
"tags": [
"product"
],
"url": "https://github.com/CherryHQ/cherry-studio/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-28T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-28T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-28T11:31:15.000Z",
"value": "VulDB entry last update"
}
],
"title": "CherryHQ cherry-studio CherryIN Preload API MemoryService.ts sha256 authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-13534",
"datePublished": "2026-06-29T04:15:09.623Z",
"dateReserved": "2026-06-28T09:26:12.051Z",
"dateUpdated": "2026-06-29T13:37:35.608Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13524 (GCVE-0-2026-13524)
Vulnerability from cvelistv5 – Published: 2026-06-29 01:45 – Updated: 2026-06-30 17:25
VLAI
Title
CherryHQ cherry-studio MCP OAuth Local Callback Server callback.ts improper authorization
Summary
A security vulnerability has been detected in CherryHQ cherry-studio up to 1.9.6. This vulnerability affects unknown code of the file src/main/services/mcp/oauth/callback.ts of the component MCP OAuth Local Callback Server. The manipulation of the argument code leads to improper authorization. The attack can be initiated remotely. The attack is considered to have high complexity. It is stated that the exploitability is difficult. The exploit has been disclosed publicly and may be used. The pull request to fix this issue awaits acceptance.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/374532 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/374532/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-13524 | third-party-advisory |
| https://vuldb.com/submit/840175 | third-party-advisory |
| https://github.com/CherryHQ/cherry-studio/issues/15372 | exploitissue-tracking |
| https://github.com/CherryHQ/cherry-studio/pull/15388 | issue-trackingpatch |
| https://github.com/CherryHQ/cherry-studio/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| CherryHQ | cherry-studio |
Affected:
1.9.0
Affected: 1.9.1 Affected: 1.9.2 Affected: 1.9.3 Affected: 1.9.4 Affected: 1.9.5 Affected: 1.9.6 cpe:2.3:a:cherryhq:cherry-studio:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13524",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-30T17:25:37.210636Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T17:25:56.340Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://vuldb.com/submit/840175"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:cherryhq:cherry-studio:*:*:*:*:*:*:*:*"
],
"modules": [
"MCP OAuth Local Callback Server"
],
"product": "cherry-studio",
"vendor": "CherryHQ",
"versions": [
{
"status": "affected",
"version": "1.9.0"
},
{
"status": "affected",
"version": "1.9.1"
},
{
"status": "affected",
"version": "1.9.2"
},
{
"status": "affected",
"version": "1.9.3"
},
{
"status": "affected",
"version": "1.9.4"
},
{
"status": "affected",
"version": "1.9.5"
},
{
"status": "affected",
"version": "1.9.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "dem0000 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security vulnerability has been detected in CherryHQ cherry-studio up to 1.9.6. This vulnerability affects unknown code of the file src/main/services/mcp/oauth/callback.ts of the component MCP OAuth Local Callback Server. The manipulation of the argument code leads to improper authorization. The attack can be initiated remotely. The attack is considered to have high complexity. It is stated that the exploitability is difficult. The exploit has been disclosed publicly and may be used. The pull request to fix this issue awaits acceptance."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.1,
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T01:45:08.988Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-374532 | CherryHQ cherry-studio MCP OAuth Local Callback Server callback.ts improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/374532"
},
{
"name": "VDB-374532 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/374532/cti"
},
{
"name": "CVE-2026-13524 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-13524"
},
{
"name": "Submit #840175 | CherryHQ cherry-studio 1.9.6 Authorization Bypass / Login CSRF",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/840175"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/CherryHQ/cherry-studio/issues/15372"
},
{
"tags": [
"issue-tracking",
"patch"
],
"url": "https://github.com/CherryHQ/cherry-studio/pull/15388"
},
{
"tags": [
"product"
],
"url": "https://github.com/CherryHQ/cherry-studio/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-28T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-28T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-28T09:55:25.000Z",
"value": "VulDB entry last update"
}
],
"title": "CherryHQ cherry-studio MCP OAuth Local Callback Server callback.ts improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-13524",
"datePublished": "2026-06-29T01:45:08.988Z",
"dateReserved": "2026-06-28T07:50:21.081Z",
"dateUpdated": "2026-06-30T17:25:56.340Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-61929 (GCVE-0-2025-61929)
Vulnerability from cvelistv5 – Published: 2025-10-10 19:50 – Updated: 2025-10-10 20:46
VLAI
Title
Cherry Studio allows one-click on a specific URL to cause a command to execute
Summary
Cherry Studio is a desktop client that supports for multiple LLM providers. Cherry Studio registers a custom protocol called `cherrystudio://`. When handling the MCP installation URL, it parses the base64-encoded configuration data and directly executes the command within it. In the files `src/main/services/ProtocolClient.ts` and `src/main/services/urlschema/mcp-install.ts`, when receiving a URL of the `cherrystudio://mcp` type, the `handleMcpProtocolUrl` function is called for processing. If an attacker crafts malicious content and posts it on a website or elsewhere (there are many exploitation methods, such as creating a malicious website with a button containing this malicious content), when the user clicks it, since the pop-up window contains normal content, the direct click is considered a scene action, and the malicious command is directly triggered, leading to the user being compromised. As of time of publication, no known patched versions exist.
Severity
9.7 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/CherryHQ/cherry-studio/securit… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| CherryHQ | cherry-studio |
Affected:
<= 1.7.0-alpha.4
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-61929",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-10T20:45:19.405302Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-10T20:46:08.118Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cherry-studio",
"vendor": "CherryHQ",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.7.0-alpha.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cherry Studio is a desktop client that supports for multiple LLM providers. Cherry Studio registers a custom protocol called `cherrystudio://`. When handling the MCP installation URL, it parses the base64-encoded configuration data and directly executes the command within it. In the files `src/main/services/ProtocolClient.ts` and `src/main/services/urlschema/mcp-install.ts`, when receiving a URL of the `cherrystudio://mcp` type, the `handleMcpProtocolUrl` function is called for processing. If an attacker crafts malicious content and posts it on a website or elsewhere (there are many exploitation methods, such as creating a malicious website with a button containing this malicious content), when the user clicks it, since the pop-up window contains normal content, the direct click is considered a scene action, and the malicious command is directly triggered, leading to the user being compromised. As of time of publication, no known patched versions exist."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.7,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-10T19:50:14.036Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/CherryHQ/cherry-studio/security/advisories/GHSA-hh6w-rmjc-26f6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/CherryHQ/cherry-studio/security/advisories/GHSA-hh6w-rmjc-26f6"
}
],
"source": {
"advisory": "GHSA-hh6w-rmjc-26f6",
"discovery": "UNKNOWN"
},
"title": "Cherry Studio allows one-click on a specific URL to cause a command to execute"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-61929",
"datePublished": "2025-10-10T19:50:14.036Z",
"dateReserved": "2025-10-03T22:21:59.617Z",
"dateUpdated": "2025-10-10T20:46:08.118Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54382 (GCVE-0-2025-54382)
Vulnerability from cvelistv5 – Published: 2025-08-13 13:31 – Updated: 2025-08-13 14:10
VLAI
Title
Cherry Studio RCE Vulnerability Disclosure
Summary
Cherry Studio is a desktop client that supports for multiple LLM providers. In version 1.5.1, a remote code execution (RCE) vulnerability exists in the Cherry Studio platform when connecting to streamableHttp MCP servers. The issue arises from the server’s implicit trust in the oauth auth redirection endpoints and failure to properly sanitize the URL. This issue has been patched in version 1.5.2.
Severity
9.7 (Critical)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/CherryHQ/cherry-studio/securit… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| CherryHQ | cherry-studio |
Affected:
= 1.5.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54382",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-13T14:08:20.033580Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-13T14:10:43.740Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cherry-studio",
"vendor": "CherryHQ",
"versions": [
{
"status": "affected",
"version": "= 1.5.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cherry Studio is a desktop client that supports for multiple LLM providers. In version 1.5.1, a remote code execution (RCE) vulnerability exists in the Cherry Studio platform when connecting to streamableHttp MCP servers. The issue arises from the server\u2019s implicit trust in the oauth auth redirection endpoints and failure to properly sanitize the URL. This issue has been patched in version 1.5.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.7,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-13T13:31:13.532Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/CherryHQ/cherry-studio/security/advisories/GHSA-gjp6-9cvg-8w93",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/CherryHQ/cherry-studio/security/advisories/GHSA-gjp6-9cvg-8w93"
}
],
"source": {
"advisory": "GHSA-gjp6-9cvg-8w93",
"discovery": "UNKNOWN"
},
"title": "Cherry Studio RCE Vulnerability Disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54382",
"datePublished": "2025-08-13T13:31:13.532Z",
"dateReserved": "2025-07-21T16:12:20.734Z",
"dateUpdated": "2025-08-13T14:10:43.740Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54074 (GCVE-0-2025-54074)
Vulnerability from cvelistv5 – Published: 2025-08-13 13:27 – Updated: 2025-08-13 14:15
VLAI
Title
Cherry Studio is Vulnerable to OS Command Injection during Connection with a Malicious MCP Server
Summary
Cherry Studio is a desktop client that supports for multiple LLM providers. From versions 1.2.5 to 1.5.1, Cherry Studio is vulnerable to OS Command Injection during a connection with a malicious MCP server in HTTP Streamable mode. Attackers can setup a malicious MCP server with compatible OAuth authorization server endpoints and trick victims into connecting it, leading to OS command injection in vulnerable clients. This issue has been patched in version 1.5.2.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/CherryHQ/cherry-studio/securit… | x_refsource_CONFIRM |
| https://github.com/CherryHQ/cherry-studio/commit/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| CherryHQ | cherry-studio |
Affected:
>= 1.2.5, < 1.5.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54074",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-13T14:15:04.480739Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-13T14:15:16.261Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cherry-studio",
"vendor": "CherryHQ",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.2.5, \u003c 1.5.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cherry Studio is a desktop client that supports for multiple LLM providers. From versions 1.2.5 to 1.5.1, Cherry Studio is vulnerable to OS Command Injection during a connection with a malicious MCP server in HTTP Streamable mode. Attackers can setup a malicious MCP server with compatible OAuth authorization server endpoints and trick victims into connecting it, leading to OS command injection in vulnerable clients. This issue has been patched in version 1.5.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-13T13:27:28.232Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/CherryHQ/cherry-studio/security/advisories/GHSA-8xr5-732g-84px",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/CherryHQ/cherry-studio/security/advisories/GHSA-8xr5-732g-84px"
},
{
"name": "https://github.com/CherryHQ/cherry-studio/commit/40f9601379150854826ff3572ef7372fb0acdc38",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/CherryHQ/cherry-studio/commit/40f9601379150854826ff3572ef7372fb0acdc38"
}
],
"source": {
"advisory": "GHSA-8xr5-732g-84px",
"discovery": "UNKNOWN"
},
"title": "Cherry Studio is Vulnerable to OS Command Injection during Connection with a Malicious MCP Server"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54074",
"datePublished": "2025-08-13T13:27:28.232Z",
"dateReserved": "2025-07-16T13:22:18.205Z",
"dateUpdated": "2025-08-13T14:15:16.261Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54063 (GCVE-0-2025-54063)
Vulnerability from cvelistv5 – Published: 2025-08-11 17:59 – Updated: 2025-08-11 18:15
VLAI
Title
Cherry Studio One-click Remote Code Execution Vulnerability through Custom URL Handling
Summary
Cherry Studio is a desktop client that supports for multiple LLM providers. From versions 1.4.8 to 1.5.0, there is a one-click remote code execution vulnerability through the custom URL handling. An attacker can exploit this by hosting a malicious website or embedding a specially crafted URL on any website. If a victim clicks the exploit link in their browser, the app’s custom URL handler is triggered, leading to remote code execution on the victim’s machine. This issue has been patched in version 1.5.1.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/CherryHQ/cherry-studio/securit… | x_refsource_CONFIRM |
| https://github.com/CherryHQ/cherry-studio/pull/8218 | x_refsource_MISC |
| https://github.com/CherryHQ/cherry-studio/commit/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| CherryHQ | cherry-studio |
Affected:
>= 1.4.8, < 1.5.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54063",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-11T18:15:31.571603Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-11T18:15:43.581Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cherry-studio",
"vendor": "CherryHQ",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.4.8, \u003c 1.5.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cherry Studio is a desktop client that supports for multiple LLM providers. From versions 1.4.8 to 1.5.0, there is a one-click remote code execution vulnerability through the custom URL handling. An attacker can exploit this by hosting a malicious website or embedding a specially crafted URL on any website. If a victim clicks the exploit link in their browser, the app\u2019s custom URL handler is triggered, leading to remote code execution on the victim\u2019s machine. This issue has been patched in version 1.5.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-11T17:59:40.626Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/CherryHQ/cherry-studio/security/advisories/GHSA-p6vw-w3p8-4g72",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/CherryHQ/cherry-studio/security/advisories/GHSA-p6vw-w3p8-4g72"
},
{
"name": "https://github.com/CherryHQ/cherry-studio/pull/8218",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/CherryHQ/cherry-studio/pull/8218"
},
{
"name": "https://github.com/CherryHQ/cherry-studio/commit/ff72c007c03ff47de21a4d0bf52a1ff1fb35cd89",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/CherryHQ/cherry-studio/commit/ff72c007c03ff47de21a4d0bf52a1ff1fb35cd89"
}
],
"source": {
"advisory": "GHSA-p6vw-w3p8-4g72",
"discovery": "UNKNOWN"
},
"title": "Cherry Studio One-click Remote Code Execution Vulnerability through Custom URL Handling"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54063",
"datePublished": "2025-08-11T17:59:40.626Z",
"dateReserved": "2025-07-16T13:22:18.204Z",
"dateUpdated": "2025-08-11T18:15:43.581Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}