Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2024-14010 — AI Deep Analysis Summary

CVSS 9.8 · Critical

Q1What is this vulnerability? (Essence + Consequences)

🚨 **Essence**: Typora v1.7.4 has an **OS Command Injection** flaw in PDF export settings. 💥 **Consequences**: Attackers can execute **arbitrary system commands** on the victim's machine.…

Q2Root Cause? (CWE/Flaw)

🛡️ **Root Cause**: **CWE-78** (OS Command Injection). The vulnerability stems from improper sanitization of inputs in the **PDF export preferences**.…

Q3Who is affected? (Versions/Components)

📦 **Affected**: **Typora** version **1.7.4**. Users running this specific version are at risk. The vendor is listed as **Unknown** in the data, but the product is clearly Typora.

Q4What can hackers do? (Privileges/Data)

👑 **Privileges**: The attacker gains the **same privileges** as the user running Typora.…

Q5Is exploitation threshold high? (Auth/Config)

⚡ **Threshold**: **LOW**. CVSS Vector: `AV:N/AC:L/PR:N/UI:N`. No authentication (PR:N), no user interaction required (UI:N), and low complexity (AC:L).…

Q6Is there a public Exp? (PoC/Wild Exploitation)

💣 **Public Exploit**: **YES**. ExploitDB ID **51752** is available. This indicates that proof-of-concept code is public, making wild exploitation possible for anyone with basic technical skills.

Q7How to self-check? (Features/Scanning)

🔍 **Self-Check**: Check if you are using **Typora 1.7.4**. Look for the **PDF Export** feature in preferences. If you see custom command arguments or scripts in the export settings, you are likely vulnerable.…

Q8Is it fixed officially? (Patch/Mitigation)

🩹 **Fix Status**: The data does not explicitly list a patched version number, but references the **Vendor Homepage** (typora.io). Users should immediately check for updates or patches from the official vendor site.

Q9What if no patch? (Workaround)

🚧 **No Patch Workaround**: **Disable PDF Export** functionality if possible. Do not use custom commands in export preferences. Avoid opening Typora documents from untrusted sources.…

Q10Is it urgent? (Priority Suggestion)

🔥 **Urgency**: **CRITICAL**. With CVSS likely **9.8+** (High/High/High) and public exploits available, this is an **immediate priority**. Patch or mitigate **NOW** to prevent remote code execution.