Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
AFFiNE: Malicious links can run code on your computer
CVE-2026-21853
Summary
If you use an older version of AFFiNE, visiting a malicious website or clicking a suspicious link can allow an attacker to run code on your computer without your knowledge. Update to version 0.25.4 or later to fix this issue.
Original title
AFFiNE is an open-source, all-in-one workspace and an operating system. Prior to version 0.25.4, there is a one-click remote code execution vulnerability. This vulnerability can be exploited by emb...
Original description
AFFiNE is an open-source, all-in-one workspace and an operating system. Prior to version 0.25.4, there is a one-click remote code execution vulnerability. This vulnerability can be exploited by embedding a specially crafted affine: URL on a website. An attacker can trigger the vulnerability in two common scenarios: 1/ A victim visits a malicious website controlled by the attacker and the website redirect to the URL automatically, or 2/ A victim clicks on a crafted link embedded on a legitimate website (e.g., in user-generated content). In both cases, the browser invokes AFFiNE custom URL handler, which launches the AFFiNE app and processes the crafted URL. This results in arbitrary code execution on the victim’s machine, without further interaction. This issue has been patched in version 0.25.4.
nvd CVSS3.1
8.8
Vulnerability type
CWE-94
Code Injection
Published: 2 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026