Lucene search
+L

135 matches found

NVD
NVD
added 2026/04/24 7:17 p.m.16 views

CVE-2026-41421

SiYuan is an open-source personal knowledge management system. Prior to 3.6.5, SiYuan desktop renders notification messages as raw HTML inside an Electron renderer. The notification route POST /api/notification/pushMsg accepts a user-controlled msg value, forwards it through the backend broadcast...

8.8CVSS0.00134EPSS
Exploits0References1
EUVD
EUVD
added 2026/04/08 3:3 p.m.4 views

EUVD-2026-19973

SiYuan: Remote Code Execution in the Electron desktop client via stored XSS in synced table captions...

9CVSS6AI score0.00538EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/08 3:3 p.m.6 views

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection in the handling of table captions during the rendering process. An attacker can execute arbitrary code with the privileges of the desktop client by syncing a crafted note containing malicious HTML or JavaScript ...

9CVSS6AI score0.00538EPSS
Exploits1References3
OSV
OSV
added 2026/04/07 9:34 p.m.5 views

CVE-2026-39846 SiYuan affected by Remote Code Execution in the Electron desktop client via stored XSS in synced table captions

SiYuan is a personal knowledge management system. Prior to 3.6.4, a malicious note synced to another user can trigger remote code execution in the SiYuan Electron desktop client. The root cause is that table caption content is stored without safe escaping and later unescaped into rendered HTML,...

9CVSS6.6AI score0.00538EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/04/07 12:0 a.m.9 views

PT-2026-31031

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.6.4 Description SiYuan is susceptible to remote code execution RCE via a stored cross-site scripting XSS vulnerability in table captions. The issue arises because table caption content is stored without proper escapi...

9CVSS6.5AI score0.00538EPSS
Exploits1References11
RedhatCVE
RedhatCVE
added 2026/04/06 4:54 p.m.6 views

CVE-2026-34780

A flaw was found in Electron, a framework for building cross-platform desktop applications. An attacker capable of executing JavaScript in the main world, for instance through a cross-site scripting XSS vulnerability, could exploit this flaw. By passing VideoFrame objects from the WebCodecs API...

8.3CVSS6.3AI score0.00327EPSS
Exploits0References4
NVD
NVD
added 2026/04/04 1:16 a.m.7 views

CVE-2026-34780

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. From versions 39.0.0-alpha.1 to before 39.8.0, 40.0.0-alpha.1 to before 40.7.0, and 41.0.0-alpha.1 to before 41.0.0-beta.8, apps that pass VideoFrame objects from the WebCodecs API across the...

8.3CVSS0.00327EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/04/04 12:2 a.m.3 views

CVE-2026-34780

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. From versions 39.0.0-alpha.1 to before 39.8.0, 40.0.0-alpha.1 to before 40.7.0, and 41.0.0-alpha.1 to before 41.0.0-beta.8, apps that pass VideoFrame objects from the WebCodecs API across the...

8.3CVSS5.9AI score0.00327EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/04/04 12:2 a.m.23 views

CVE-2026-34780 Electron: Context Isolation bypass via contextBridge VideoFrame transfer

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. From versions 39.0.0-alpha.1 to before 39.8.0, 40.0.0-alpha.1 to before 40.7.0, and 41.0.0-alpha.1 to before 41.0.0-beta.8, apps that pass VideoFrame objects from the WebCodecs API across the...

8.3CVSS0.00327EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/04/04 12:2 a.m.2 views

CVE-2026-34780 Electron: Context Isolation bypass via contextBridge VideoFrame transfer

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. From versions 39.0.0-alpha.1 to before 39.8.0, 40.0.0-alpha.1 to before 40.7.0, and 41.0.0-alpha.1 to before 41.0.0-beta.8, apps that pass VideoFrame objects from the WebCodecs API across the...

8.3CVSS5.9AI score0.00327EPSS
Exploits0References1
OSV
OSV
added 2026/04/04 12:2 a.m.3 views

CVE-2026-34780 Electron: Context Isolation bypass via contextBridge VideoFrame transfer

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. From versions 39.0.0-alpha.1 to before 39.8.0, 40.0.0-alpha.1 to before 40.7.0, and 41.0.0-alpha.1 to before 41.0.0-beta.8, apps that pass VideoFrame objects from the WebCodecs API across the...

8.3CVSS6AI score0.00327EPSS
Exploits0References6
CVE
CVE
added 2026/04/04 12:2 a.m.34 views

CVE-2026-34780

Electron context isolation bypass via contextBridge VideoFrame transfer affects versions 39.0.0-alpha.1–39.7.x, 40.0.0-alpha.1–40.6.x, and 41.0.0-alpha.1–41.0.0-beta.7 (inclusive) where passing VideoFrame objects across the contextBridge can let a main-world attacker access the isolated world and...

8.3CVSS5.9AI score0.00327EPSS
Exploits0References4Affected Software1
CNNVD
CNNVD
added 2026/04/04 12:0 a.m.10 views

Electron 安全漏洞

Electron is a JavaScript framework developed by users for creating cross-platform desktop applications under the open-source license. This framework is based on Node.js and Chromium, allowing the development of cross-platform desktop applications using HTML and CSS. Vulnerabilities exist in...

8.3CVSS5.8AI score0.00327EPSS
Exploits0References1
OSV
OSV
added 2026/04/03 2:46 a.m.3 views

GHSA-JFQG-HF23-QPW2 Electron: Context Isolation bypass via contextBridge VideoFrame transfer

Impact Apps that pass VideoFrame objects from the WebCodecs API across the contextBridge are vulnerable to a context isolation bypass. An attacker who can execute JavaScript in the main world for example, via XSS can use a bridged VideoFrame to gain access to the isolated world, including any...

8.3CVSS6AI score0.00327EPSS
Exploits0References3
EUVD
EUVD
added 2026/04/03 2:46 a.m.8 views

EUVD-2026-18961

Electron: Context Isolation bypass via contextBridge VideoFrame transfer...

8.3CVSS5.9AI score0.00327EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/04/03 2:46 a.m.17 views

Electron: Context Isolation bypass via contextBridge VideoFrame transfer

Impact Apps that pass VideoFrame objects from the WebCodecs API across the contextBridge are vulnerable to a context isolation bypass. An attacker who can execute JavaScript in the main world for example, via XSS can use a bridged VideoFrame to gain access to the isolated world, including any...

8.3CVSS6AI score0.00327EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2026/04/02 6:2 p.m.10 views

CVE-2026-34725

DbGate (multi-platform: web and Electron desktop) contains a stored XSS in the icon rendering path impacting versions 7.0.0–7.1.5. Attacker-controlled SVG icons stored as applicationIcon are rendered without sanitization, enabling script execution in another user’s browser (web UI) and, in Electr...

8.2CVSS6.2AI score0.00168EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/04/02 6:2 p.m.21 views

CVE-2026-34725 dbgate-web: Stored XSS in applicationIcon leads to potential RCE in Electron due to unsafe renderer configuration

DbGate is cross-platform database manager. From version 7.0.0 to before version 7.1.5, a stored XSS vulnerability exists in DbGate because attacker-controlled SVG icon strings are rendered as raw HTML without sanitization. In the web UI this allows script execution in another user's browser; in t...

8.2CVSS0.00168EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/04/01 10:19 p.m.8 views

dbgate-web: Stored XSS in applicationIcon leads to potential RCE in Electron due to unsafe renderer configuration

Summary A stored XSS vulnerability exists in DbGate because attacker-controlled SVG icon strings are rendered as raw HTML without sanitization. In the web UI this allows script execution in another user's browser; in the Electron desktop app this can escalate to local code execution because...

8.2CVSS6.3AI score0.00168EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/04/01 10:19 p.m.4 views

GHSA-35XM-QVJG-8M42 dbgate-web: Stored XSS in applicationIcon leads to potential RCE in Electron due to unsafe renderer configuration

Summary A stored XSS vulnerability exists in DbGate because attacker-controlled SVG icon strings are rendered as raw HTML without sanitization. In the web UI this allows script execution in another user's browser; in the Electron desktop app this can escalate to local code execution because...

8.2CVSS6.3AI score0.00168EPSS
Exploits0References5
Rows per page
Query Builder