Stackfield Desktop App CVE-2026-28373 Path Traversal Flaw Enables RCE on macOS and Windows

CVE-2026-28373 is a critical path traversal vulnerability (CVSS 9.6) in the Stackfield Desktop App, a secure team collaboration application, affecting versions prior to 1.10.2 for both macOS and Windows platforms. The vulnerability exists in the Electron-based desktop application and allows attackers to traverse directory paths in a way that enables remote code execution on the victim's system. Stackfield is marketed as a secure, GDPR-compliant collaboration platform used by organizations handling sensitive data, making this vulnerability particularly concerning for its user base. The flaw was published to the NVD on April 4, 2026. Electron-based desktop applications have historically been a source of security vulnerabilities due to the complexity of the framework and the challenges of properly sandboxing web content. Organizations using Stackfield should immediately update to version 1.10.2 or later, verify that automatic updates are enabled, and monitor for signs of exploitation. Security teams should also review other Electron-based applications in their environment for similar path traversal vulnerabilities.