CVE-2024-14010
Published: 12 December 2025
Description
Typora 1.7.4 contains a command injection vulnerability in the PDF export preferences that allows attackers to execute arbitrary system commands. Attackers can inject malicious commands into the 'run command' input field during PDF export to achieve remote code execution.
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation and sanitization of user inputs to the 'run command' field in Typora's PDF export preferences to block command injection.
Mandates timely identification, prioritization, and remediation of the specific command injection flaw in Typora 1.7.4 via patching.
Restricts or prohibits user installation of vulnerable Typora software on organizational systems, eliminating exposure to the CVE.
Security SummaryAI
CVE-2024-14010 is a command injection vulnerability (CWE-78) in Typora version 1.7.4. The issue affects the PDF export preferences, where the 'run command' input field fails to properly sanitize user input, enabling attackers to inject and execute arbitrary system commands.
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable remotely with low complexity, no privileges, and no user interaction required. Attackers can achieve remote code execution by injecting malicious commands into the vulnerable field during PDF export operations.
Advisories and related resources include the Typora official site at http://www.typora.io, a proof-of-concept exploit at https://www.exploit-db.com/exploits/51752, and a detailed advisory from Vulncheck at https://www.vulncheck.com/advisories/typora-os-command-injection-via-export-pdf-preferences.
Details
- CWE(s)
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection vulnerability in Typora enables remote code execution by exploiting a client application (T1203) and facilitates arbitrary command execution via system interpreters (T1059).