CVE-2024-14010 HIGH

CVE-2024-14010: Typora 1.7.4 OS Command Injection via Export PDF Preferences

Vendor Unknown

Product Typora

Weakness CWE-78

Published December 12, 2025

Last update April 7, 2026

View on NVD All CVEs

CVSS base score

8.5/10

Attack vector Local

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Typora 1.7.4 contains a command injection vulnerability in the PDF export preferences that allows attackers to execute arbitrary system commands. Attackers can inject malicious commands into the 'run command' input field during PDF export to achieve remote code execution.

Key dates

02Disclosure timeline

December 12, 2025 CVE published

April 7, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-14010 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/78.html

Related vulnerabilities

CVE-2024-14010: Typora 1.7.4 OS Command Injection via Export PDF Preferences

01Description

02Disclosure timeline

03References

04Related CVE