GNU Emacs

Emacs URL Redirect Injection: Remote Shell
CVE-2025-1244 8.8 - High - February 12, 2025

A command injection flaw was found in the text editor Emacs. It could allow a remote, unauthenticated attacker to execute arbitrary shell commands on a vulnerable system. Exploitation is possible by tricking users into visiting a specially crafted website or an HTTP URL with a redirect.

Shell injection

GNU Emacs elisp-mode Unsafe Macro Expansion Code Execution Vulnerability
CVE-2024-53920 7.8 - High - November 27, 2024

In elisp-mode.el in GNU Emacs before 30.1, a user who chooses to invoke elisp-completion-at-point (for code completion) on untrusted Emacs Lisp source code can trigger unsafe Lisp macro expansion that allows attackers to execute arbitrary code. (This unsafe expansion also occurs if a user chooses to enable on-the-fly diagnosis that byte compiles untrusted Emacs Lisp source code.)

Code Injection

Emacs Org Link Abuse: unsafe %(...) expands shell-command-to-string before 29.4
CVE-2024-39331 - June 23, 2024

In Emacs before 29.4, org-link-expand-abbrev in lisp/ol.el expands a %(...) link abbrev even when it specifies an unsafe function, such as shell-command-to-string. This affects Org Mode before 9.7.5.

Org Mode remote file trust in Emacs <29.3 / <9.6.23
CVE-2024-30205 - March 25, 2024

In Emacs before 29.3, Org mode considers contents of remote files to be trusted. This affects Org Mode before 9.6.23.

Emacs <=29.2: Default LaTeX Preview in email attachments triggers code exec
CVE-2024-30204 - March 25, 2024

In Emacs before 29.3, LaTeX preview is enabled by default for e-mail attachments.

GNU Emacs Gnus Inline MIME Trust Bypass before 29.3
CVE-2024-30203 - March 25, 2024

In Emacs before 29.3, Gnus treats inline MIME contents as trusted.

Emacs<=29.3 Org Mode XSS: Eval arbitrary Lisp code before 9.6.23
CVE-2024-30202 - March 25, 2024

In Emacs before 29.3, arbitrary Lisp code is evaluated as part of turning on Org mode. This affects Org Mode before 9.6.23.

Emacs org-babel Execute- LaTeX: Arbitrary Command Execution (CVE-2023-2491)
CVE-2023-2491 7.8 - High - May 17, 2023

A flaw was found in the Emacs text editor. Processing a specially crafted org-mode code with the "org-babel-execute:latex" function in ob-latex.el can result in arbitrary command execution. This CVE exists because of a CVE-2023-28617 security regression for the emacs package in Red Hat Enterprise Linux 8.8 and Red Hat Enterprise Linux 9.2.

Command Injection

Org Mode 9.6.1 Shell Metachar Abuse in ob-latex Execute
CVE-2023-28617 7.8 - High - March 19, 2023

org-babel-execute:latex in ob-latex.el in Org Mode through 9.6.1 for GNU Emacs allows attackers to execute arbitrary commands via a file name or directory name that contains shell metacharacters.

Shell injection

Emacs 28.x Emacsclient-Mail Desktop Lisp Injection via mailto:
CVE-2023-27986 7.8 - High - March 09, 2023

emacsclient-mail.desktop in Emacs 28.1 through 28.2 is vulnerable to Emacs Lisp code injections through a crafted mailto: URI with unescaped double-quote characters. It is fixed in 29.0.90.

Code Injection

Emacs 28.1-28.2: Mailto Shell Injection via emacsclient-mail.desktop
CVE-2023-27985 7.8 - High - March 09, 2023

emacsclient-mail.desktop in Emacs 28.1 through 28.2 is vulnerable to shell command injections through a crafted mailto: URI. This is related to lack of compliance with the Desktop Entry Specification. It is fixed in 29.0.90

Shell injection

GNU Emacs <=28.2 htmlfontify.el Command Injection
CVE-2022-48339 7.8 - High - February 20, 2023

An issue was discovered in GNU Emacs through 28.2. htmlfontify.el has a command injection vulnerability. In the hfy-istext-command function, the parameter file and parameter srcdir come from external input, and parameters are not escaped. If a file name or directory name contains shell metacharacters, code may be executed.

Output Sanitization

Command injection via gem in GNU Emacs ruby-mode <=28.2
CVE-2022-48338 7.3 - High - February 20, 2023

An issue was discovered in GNU Emacs through 28.2. In ruby-mode.el, the ruby-find-library-file function has a local command injection vulnerability. The ruby-find-library-file function is an interactive function, and bound to C-c C-f. Inside the function, the external command gem is called through shell-command-to-string, but the feature-name parameters are not escaped. Thus, malicious Ruby source files may cause commands to be executed.

Command Injection

Command Injection via etags in GNU Emacs before 28.3
CVE-2022-48337 9.8 - Critical - February 20, 2023

GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the etags program. For example, a victim may use the "etags -u *" command (suggested in the etags documentation) in a situation where the current working directory has contents that depend on untrusted input.

Shell injection

Command Exec via Shell Metachar in GNU Emacs 28.2 ctags
CVE-2022-45939 7.8 - High - November 28, 2022

GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the ctags program. For example, a victim may use the "ctags *" command (suggested in the ctags documentation) in a situation where the current working directory has contents that depend on untrusted input.

Shell injection