QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2026-42184

Back to search

CVE-2026-42184

Published: May 27, 2026

Modified: May 27, 2026

PUBLISHED

Description

Tauri is a framework for building binaries for all major desktop platforms. From 2.0 to 2.11.0, a flaw in Tauri's is_local_url() function causes it to incorrectly classify remote URLs as trusted local origins on Windows and Android. On these systems, Tauri maps custom URI scheme protocols to http://<scheme>.localhost/ because those platforms' WebView implementations cannot serve custom URI schemes directly. The issue is that Tauri's check to see if the origin is local, only checks the first subdomain of the URL. An attacker can abuse this by hosting a page on a domain whose subdomain matches the custom scheme of the application. This vulnerability is fixed in 2.10.3.

VendorProductVersions

tauri-apps

tauri

affected
>= 2.0, < 2.11.1

Weaknesses (CWE)

CWE-918

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now