CVE Catalog

CVE-2026-44225

Critical
Published: Translated: NVD NIST

Summary

Pulpy is a lightweight, cross-platform application packager for web apps. Prior to version 0.1.1, Pulpy injected the pulpy.fs JavaScript API into every packaged web application, allowing access to the host filesystem. The validateFsPath() function was supposed to sandbox this access, but its blocklist was incomplete.

Risk Assessment

Any web app packaged with Pulpy could read and write arbitrary files in the user's home directory, posing a serious risk of sensitive data leakage, such as SSH keys or AWS credentials.

Recommendation

It is recommended to update Pulpy to version 0.1.1 or later to mitigate this vulnerability. Additionally, monitoring access to sensitive files in the system is advised.

Original NVD description (English source)

Pulpy is a lightweight, cross-platform desktop application packager for web apps. Prior to 0.1.1, Pulpy injects a pulpy.fs JavaScript API into every packaged web application, giving it access to the host filesystem. A validateFsPath() function is supposed to sandbox this access, but its blocklist is incomplete. Any web app packaged with Pulpy can read and write arbitrary files in the user's home directory — including ~/.ssh/id_rsa, ~/.aws/credentials, and ~/Library/Keychains/. This vulnerability is fixed in 0.1.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS