CVE-2024-14010

CRITICAL

Typora 1.7.4 - OS Command Injection via PDF Export Preferences

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-14010. PoCs published by Ahmet Ümit BAYRAM.

AI-analyzed exploit summary This is a writeup describing an OS command injection vulnerability in Typora v1.7.4. It outlines steps to exploit the vulnerability by injecting a reverse shell command into the PDF export settings.

Description

Typora 1.7.4 contains a command injection vulnerability in the PDF export preferences that allows attackers to execute arbitrary system commands. Attackers can inject malicious commands into the 'run command' input field during PDF export to achieve remote code execution.

Exploits (1)

exploitdb WRITEUP
by Ahmet Ümit BAYRAM · localwindows
https://www.exploit-db.com/exploits/51752

This is a writeup describing an OS command injection vulnerability in Typora v1.7.4. It outlines steps to exploit the vulnerability by injecting a reverse shell command into the PDF export settings.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Typora v1.7.4
No auth needed
Prerequisites: Typora v1.7.4 installed on Windows · User interaction to configure and trigger the export
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Various Sources product
http://www.typora.io
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/51752

Scores

CVSS v3 9.8
EPSS 0.0103
EPSS Percentile 59.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-78
Status published
Products (2)
None/Typora 1.7.4
Unknown/Typora 1.7.4
Published Dec 12, 2025
Tracked Since Feb 18, 2026