Use After Free

Electron is vulnerable to Use After Free. The vulnerability is due to improper handling of child windows in offscreen rendering mode after the parent WebContents is destroyed, which allows an attacker to trigger memory corruption or application crashes through crafted child window interactions...

CVE-2026-34765

CVE-2026-34765 : Electron prior to 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5 has a window.open() targeting flaw where the named-window lookup is not scoped to the opener’s browsing context group. A renderer could navigate a child window opened by a different renderer if both share the same targe...

CVE-2026-34765 Electron named window.open targets not scoped to the opener's browsing context

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, when a renderer calls window.open with a target name, Electron did not correctly scope the named-window lookup to the opener's browsing...

CVE-2026-34774

A flaw was found in Electron. This use-after-free vulnerability occurs in applications that utilize offscreen rendering and permit child windows. When the parent offscreen WebContents is destroyed while a child window remains active, subsequent rendering attempts on the child can access freed...

CVE-2026-34774

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 39.8.1, 40.7.0, and 41.0.0, apps that use offscreen rendering and allow child windows via window.open may be vulnerable to a use-after-free. If the parent offscreen WebContent...

CVE-2026-34774

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 39.8.1, 40.7.0, and 41.0.0, apps that use offscreen rendering and allow child windows via window.open may be vulnerable to a use-after-free. If the parent offscreen WebContent...

CVE-2026-34774 Electron: Use-after-free in offscreen child window paint callback

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 39.8.1, 40.7.0, and 41.0.0, apps that use offscreen rendering and allow child windows via window.open may be vulnerable to a use-after-free. If the parent offscreen WebContent...

CVE-2026-34774

Electron is affected when apps use offscreen rendering (webPreferences.offscreen: true) and allow child windows via window.open(). In such cases, if the parent offscreen WebContents is destroyed while a child window remains open, subsequent paint frames on the child can dereference freed memory, ...

Improper Isolation or Compartmentalization

Overview org.webjars.npm:electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization in the handling of the nodeIntegrationInWorker configuration in...

GHSA-532V-XPQ5-8H95 Electron: Use-after-free in offscreen child window paint callback

Impact Apps that use offscreen rendering and allow child windows via window.open may be vulnerable to a use-after-free. If the parent offscreen WebContents is destroyed while a child window remains open, subsequent paint frames on the child dereference freed memory, which may lead to a crash or...

Electron: Use-after-free in offscreen child window paint callback

Impact Apps that use offscreen rendering and allow child windows via window.open may be vulnerable to a use-after-free. If the parent offscreen WebContents is destroyed while a child window remains open, subsequent paint frames on the child dereference freed memory, which may lead to a crash or...

PT-2026-30004

Impact Apps that use offscreen rendering and allow child windows via window.open may be vulnerable to a use-after-free. If the parent offscreen WebContents is destroyed while a child window remains open, subsequent paint frames on the child dereference freed memory, which may lead to a crash or...

Joplin 1.0.245 - Arbitrary Code Execution (PoC)

Exploit Title: Joplin 1.0.245 - Arbitrary Code Execution PoC Date: 2020-09-21 Exploit Author: Ademar Nowasky Junior @nowaskyjr Vendor Homepage: https://joplinapp.org/ Software Link: https://github.com/laurent22/joplin/releases/download/v1.0.245/Joplin-Setup-1.0.245.exe Version: 1.0.190 to 1.0.245...

Electron WebPreferences - Remote Code Execution

Electron WebPreferences - Remote Code Execution CVE-2018-15685 - Electron WebPreferences Remote Code Execution This is a minimal Electron application with a POC for CVE-2018-15685. A remote code execution vulnerability has been discovered affecting apps with the ability to open nested child windo...

CVE-2007-0780

browser.js in Mozilla Firefox 1.5.x before 1.5.0.10 and 2.x before 2.0.0.2, and SeaMonkey before 1.0.8 uses the requesting URI to identify child windows, which allows remote attackers to conduct cross-site scripting XSS attacks by opening a blocked popup originating from a javascript: URI in...