CVE-2026-54257 Electron: Buffer performs incorrect byte length calculations resulting in heap buffer under/overflow

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. From 42.3.1 until 42.3.3, Buffer performs incorrect byte length calculations resulting in heap buffer under/overflow. Most apps will crash and some may perform incorrect buffer allocations in t...

CVE-2026-54257

CVE-2026-54257 affects Electron 42.3.1 through 42.3.2 where the Node.js Buffer API uses incorrect byte-length calculations, causing heap underflow/overflow. This can lead to crashes and, in some cases, incorrect buffer allocations (truncation or misallocation). The issue is fixed in Electron 42.3...

CVE-2026-56395

SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package...

CVE-2026-56397

SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package...

CVE-2026-56395 SiYuan - Remote Code Execution via Malicious Bazaar Package Metadata and README

SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package...

EUVD-2026-38161

SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package...

CVE-2026-56395

SiYuan exposes a vulnerability (CVE-2026-56395) where SieYuan versions prior to 3.6.1 fail to sanitize Bazaar marketplace metadata and README content, enabling arbitrary HTML/JavaScript injection. The underlying issue is improper sanitization of package displayName, description, or README fields,...

CVE-2026-56395

SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package...

Buffer Overflow

Overview electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Buffer Overflow in the Buffer API. An attacker can cause application crashes or trigger incorrect memory allocations by...

Buffer Overflow

Overview org.webjars.npm:electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Buffer Overflow in the Buffer API. An attacker can cause application crashes or trigger incorrect memory...

GHSA-Q6M5-F73J-M9MC Electron: Buffer performs incorrect byte length calculations resulting in heap buffer under/overflow

Impact Most apps will crash and some may perform incorrect buffer allocations in the Node.js Buffer API resulting in unexpected truncation or allocation. Workarounds No workarounds. Do not use these impacted Electron releases Fixed Versions 42.3.3 For more information If you have any questions or...

Electron: Buffer performs incorrect byte length calculations resulting in heap buffer under/overflow

Impact Most apps will crash and some may perform incorrect buffer allocations in the Node.js Buffer API resulting in unexpected truncation or allocation. Workarounds No workarounds. Do not use these impacted Electron releases Fixed Versions 42.3.3 For more information If you have any questions or...

NPM: Electron: Buffer performs incorrect byte length calculations resulting in heap buffer under/overflow

NPM: Electron: Buffer performs incorrect byte length calculations resulting in heap buffer under/overflow vulnerability discovered by ? in WordPress Npm electron versions = 42.3.1, 42.3.3...

PT-2026-49579

Name of the Vulnerable Software and Affected Versions Electron versions 42.3.1 through 42.3.2 Description Incorrect byte length calculations in the Node.js Buffer API cause heap underflow or overflow, which can lead to memory corruption or application crashes. This issue may result in incorrect...

CVE-2026-42890

Actual is an open-source personal finance application. In the macOS desktop application version 25.x built on Electron 39.2.7, the ELECTRONRUNASNODE fuse is not disabled, allowing an attacker who can place a file on disk or control command-line arguments to invoke the signed Actual.app binary wit...

CVE-2026-42890 actual Allows Electron to Run As Node

Actual is an open-source personal finance application. In the macOS desktop application version 25.x built on Electron 39.2.7, the ELECTRONRUNASNODE fuse is not disabled, allowing an attacker who can place a file on disk or control command-line arguments to invoke the signed Actual.app binary wit...

CVE-2026-42890 actual Allows Electron to Run As Node

Actual is an open-source personal finance application. In the macOS desktop application version 25.x built on Electron 39.2.7, the ELECTRONRUNASNODE fuse is not disabled, allowing an attacker who can place a file on disk or control command-line arguments to invoke the signed Actual.app binary wit...

EUVD-2026-36547

Actual is an open-source personal finance application. In the macOS desktop application version 25.x built on Electron 39.2.7, the ELECTRONRUNASNODE fuse is not disabled, allowing an attacker who can place a file on disk or control command-line arguments to invoke the signed Actual.app binary wit...

CVE-2026-42890

CVE-2026-42890 affects the macOS desktop application Actual (version 25.x, Electron 39.2.7). The ELECTRON_RUN_AS_NODE fuse was not disabled, allowing a local attacker who can place a file on disk or influence command-line arguments to invoke Actual.app with ELECTRON_RUN_AS_NODE=1. This converts t...

Malicious code in @403name/electron-buidler (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6ed72e6dbbdb78cd8fc99bfafc15900f16543690460ae2cfad826aeee20c05a4 On require, index.js executes an immediately-invoked function that platform-gates to macOS, skips CI environments, drops a one-shot marker file in...