cvedb.io
CVE-2025-29509
HIGH · CVSS 8.8
EPSS exploitation probability: 0%
Published 2025-05-09T17:15:50.947 · Last modified 2026-06-17T09:05:28.557

Summary

Jan v0.5.14 and before is vulnerable to remote code execution (RCE) when the user clicks on a rendered link in the conversation, due to opening external website in the app and the exposure of electronAPI, with a lack of filtering of URL when calling shell.openExternal().

Does this affect you?

Add your gear to cvedb and we'll alert you only when a vendor you run ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.