Submit #619142: cronoh nanovault v1.2.1 Code Injectioninfo

Titlecronoh nanovault v1.2.1 Code Injection
DescriptionWe discovered a one-click remote code execution vulnerability in the latest version (v1.2.1) of the [NanoVault app](https://github.com/cronoh/nanovault). An attacker can exploit this vulnerability by embedding a specially crafted xrb: URL on any website, including a malicious one they control. When a victim visits such a site or clicks on the link, the browser triggers the app’s custom URL handler (`xrb:`), causing the NanoVault application to launch and process the URL, leading to remote code execution on the victim’s machine.
Source⚠️ https://gist.github.com/jackfromeast/1e2e206813887a470e00b8474c616567
User
 Zhengyu Liu (UID 84541)
Submission07/20/2025 04:12 AM (6 months ago)
Moderation08/04/2025 02:01 PM (15 days later)
StatusAccepted
VulDB entry318665 [cronoh NanoVault up to 1.2.1 xrb URL /main.js executeJavaScript cross site scripting]
Points20

PreviousOverviewNext

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!