Activity Watch vulnerable to command execution on macOS via printAppTitle.scpt
Description
Activity Watch is a free and open-source automated time tracker. Versions prior to 0.11.0 allow an attacker to execute arbitrary commands on any macOS machine with ActivityWatch running. The attacker can exploit this vulnerability by having the user visiting a website with the page title set to a malicious string. An attacker could use another application to accomplish the same, but the web browser is the most likely attack vector. This issue is patched in version 0.11.0. As a workaround, users can run the latest version of aw-watcher-window from source, or manually patch the printAppTitle.scpt file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2021-32692: ActivityWatch before 0.11.0 allows arbitrary command execution on macOS via a malicious application window title.
Vulnerability
Activity Watch versions prior to 0.11.0 contain a code injection vulnerability in the macOS-specific printAppTitle.scpt script, which is responsible for retrieving the active application window's title. By setting the window title to a specially crafted string (e.g., via a web page title or other application), an attacker can inject arbitrary AppleScript commands that the script executes without sanitization. The attack is most easily triggered when a user visits a website whose page title contains the malicious payload, but any application that sets an attacker-controlled window title could be used. [1]
Exploitation
An attacker must lure a user running an affected Activity Watch version (prior to 0.11.0) on macOS into opening an application that sets its window title to a malicious string. The most likely vector is a web browser: the attacker hosts a page whose HTML ` (or equivalent) contains the crafted payload, and convinces the user to navigate to it. The aw-watcher-window process periodically calls printAppTitle.scpt` to read the foreground window's title; the script does not escape or validate the input, allowing the injected AppleScript code to execute with the privileges of the user. No authentication or prior access to the target machine is required beyond the user performing the action. [1]
Impact
Successful exploitation achieves arbitrary command execution on the victim's macOS machine. The attacker can run shell commands or AppleScript instructions, leading to full compromise of user data, installation of malware, credential theft, or any action the user can perform on the system. The impact is limited to machines running ActivityWatch on macOS; the code runs in the context of the logged-in user. [1]
Mitigation
The issue is fixed in Activity Watch version 0.11.0, released according to the advisory. Users should update immediately. As a workaround, users can run the latest version of aw-watcher-window from source or manually apply the patched version of the printAppTitle.scpt file. No other mitigations are provided in the references. [1]
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<0.11.0+ 1 more
- (no CPE)range: <0.11.0
- (no CPE)range: 0.11.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.