crates.io package
tauri
pkg:cargo/tauri
Vulnerabilities (7)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-42184 | — | >= 2.0.0, < 2.11.1 | 2.11.1 | May 6, 2026 | ### Summary A flaw in Tauri's `is_local_url()` function causes it to incorrectly classify remote URLs as trusted local origins on Windows and Android. On these systems, Tauri maps custom URI scheme protocols to `http://.localhost/` because those platforms' WebView impleme | ||
| CVE-2024-35222 | Med | 5.9 | < 1.6.7 | 1.6.7 | May 23, 2024 | Tauri is a framework for building binaries for all major desktop platforms. Remote origin iFrames in Tauri applications can access the Tauri IPC endpoints without being explicitly allowed in the `dangerousRemoteDomainIpcAccess` in v1 and in the `capabilities` in v2. Valid command | |
| CVE-2023-34460 | — | >= 1.4.0, < 1.4.1 | 1.4.1 | Jun 23, 2023 | Tauri is a framework for building binaries for all major desktop platforms. The 1.4.0 release includes a regression on the Filesystem scope check for dotfiles on Unix. Previously dotfiles were not implicitly allowed by the glob wildcard scopes (eg. `$HOME/*`), but a regression wa | ||
| CVE-2023-31134 | — | >= 1.0.0, < 1.0.9 | 1.0.9 | May 9, 2023 | Tauri is software for building applications for multi-platform deployment. The Tauri IPC is usually strictly isolated from external websites, but in versions 1.0.0 until 1.0.9, 1.1.0 until 1.1.4, and 1.2.0 until 1.2.5, the isolation can be bypassed by redirecting an existing Taur | ||
| CVE-2022-46171 | — | >= 1.0.0, < 1.0.8 | 1.0.8 | Dec 23, 2022 | Tauri is a framework for building binaries for all major desktop platforms. The filesystem glob pattern wildcards `*`, `?`, and `[...]` match file path literals and leading dots by default, which unintentionally exposes sub folder content of allowed paths. Scopes without the wild | ||
| CVE-2022-41874 | — | >= 1.0.0, < 1.0.7 | 1.0.7 | Nov 10, 2022 | Tauri is a framework for building binaries for all major desktop platforms. In versions prior to 1.0.7 and 1.1.2, Tauri is vulnerable to an Incorrectly-Resolved Name. Due to incorrect escaping of special characters in paths selected via the file dialog and drag and drop functiona | ||
| CVE-2022-39215 | — | < 1.0.6 | 1.0.6 | Sep 15, 2022 | Tauri is a framework for building binaries for all major desktop platforms. Due to missing canonicalization when `readDir` is called recursively, it was possible to display directory listings outside of the defined `fs` scope. This required a crafted symbolic link or junction fol |
- CVE-2026-42184May 6, 2026affected >= 2.0.0, < 2.11.1fixed 2.11.1
### Summary A flaw in Tauri's `is_local_url()` function causes it to incorrectly classify remote URLs as trusted local origins on Windows and Android. On these systems, Tauri maps custom URI scheme protocols to `http://.localhost/` because those platforms' WebView impleme
- affected < 1.6.7fixed 1.6.7
Tauri is a framework for building binaries for all major desktop platforms. Remote origin iFrames in Tauri applications can access the Tauri IPC endpoints without being explicitly allowed in the `dangerousRemoteDomainIpcAccess` in v1 and in the `capabilities` in v2. Valid command
- CVE-2023-34460Jun 23, 2023affected >= 1.4.0, < 1.4.1fixed 1.4.1
Tauri is a framework for building binaries for all major desktop platforms. The 1.4.0 release includes a regression on the Filesystem scope check for dotfiles on Unix. Previously dotfiles were not implicitly allowed by the glob wildcard scopes (eg. `$HOME/*`), but a regression wa
- CVE-2023-31134May 9, 2023affected >= 1.0.0, < 1.0.9fixed 1.0.9
Tauri is software for building applications for multi-platform deployment. The Tauri IPC is usually strictly isolated from external websites, but in versions 1.0.0 until 1.0.9, 1.1.0 until 1.1.4, and 1.2.0 until 1.2.5, the isolation can be bypassed by redirecting an existing Taur
- CVE-2022-46171Dec 23, 2022affected >= 1.0.0, < 1.0.8fixed 1.0.8
Tauri is a framework for building binaries for all major desktop platforms. The filesystem glob pattern wildcards `*`, `?`, and `[...]` match file path literals and leading dots by default, which unintentionally exposes sub folder content of allowed paths. Scopes without the wild
- CVE-2022-41874Nov 10, 2022affected >= 1.0.0, < 1.0.7fixed 1.0.7
Tauri is a framework for building binaries for all major desktop platforms. In versions prior to 1.0.7 and 1.1.2, Tauri is vulnerable to an Incorrectly-Resolved Name. Due to incorrect escaping of special characters in paths selected via the file dialog and drag and drop functiona
- CVE-2022-39215Sep 15, 2022affected < 1.0.6fixed 1.0.6
Tauri is a framework for building binaries for all major desktop platforms. Due to missing canonicalization when `readDir` is called recursively, it was possible to display directory listings outside of the defined `fs` scope. This required a crafted symbolic link or junction fol