EUVD-2025-124520

Malicious code in nestjs-nodejs-electron-builder-auth npm...

CVE-2025-56800

Reolink desktop application 8.18.12 contains a vulnerability in its local authentication mechanism. The application implements lock screen password logic entirely on the client side using JavaScript within an Electron resource file. Because the password is stored and returned via a modifiable...

EUVD-2024-41542

Malicious code in bioql PyPI...

Malicious code in @dropbox-photo-viewer/electron-app (npm)

The package @dropbox-photo-viewer/electron-app was found to contain malicious code. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware c0e60f8bd38264b681d07237c310d98471fc7bfc1b9ab2bfabf4258bf01a9ea9 Any computer that has this package installed or running should be...

CVE-2024-45621

The Electron desktop application of Rocket.Chat through 6.3.4 allows stored XSS via links in an uploaded file, related to failure to use a separate browser upon encountering third-party external actions from PDF documents...

CVE-2024-23743

Notion through 3.1.0 on macOS might allow code execution because of RunAsNode and enableNodeClilnspectArguments. NOTE: the vendor states "the attacker must launch the Notion Desktop application with nonstandard flags that turn the Electron-based application into a Node.js execution environment."...

CVE-2024-45621

The Electron desktop application of Rocket.Chat through 6.3.4 allows stored XSS via links in an uploaded file, related to failure to use a separate browser upon encountering third-party external actions from PDF documents...

CVE-2024-21625

SideQuest is a place to get virtual reality applications for Oculus Quest. The SideQuest desktop application uses deep links with a custom protocol sidequest:// to trigger actions in the application from its web contents. Because, prior to version 0.10.35, the deep link URLs were not sanitized...

Remote code execution

SideQuest is a place to get virtual reality applications for Oculus Quest. The SideQuest desktop application uses deep links with a custom protocol sidequest:// to trigger actions in the application from its web contents. Because, prior to version 0.10.35, the deep link URLs were not sanitized...

CVE-2023-22524: RCE Vulnerability in Atlassian Companion for macOS

TL;DR This blog unveils a remote code execution vulnerability, identified as CVE-2023-22524, in Atlassian Companion for macOS, which has recently been patched. This critical vulnerability stemmed from an ability to bypass both the apps blocklist and macOS Gatekeeper, potentially allowing the...

npm create-choo-electron 安全漏洞

npm create-choo-electron is a program from npm USA. It is used to create a new Choo Electron application. A security vulnerability exists in create-choo-electron, which stems from the devInstall function not validating user input...

CVE-2021-44042

An issue was discovered in UiPath Assistant 21.4.4. User-controlled data supplied to the --process-start argument of the URI handler for uipath-assistant:// is not correctly encoded, resulting in attacker-controlled content being injected into the error message displayed when the injected content...

Code injection

An issue was discovered in UiPath Assistant 21.4.4. User-controlled data supplied to the --process-start argument of the URI handler for uipath-assistant:// is not correctly encoded, resulting in attacker-controlled content being injected into the error message displayed when the injected content...

UiPath Assistant 注入漏洞

UiPath Assistant is a specialized tool for UiPath designed to make it easy and fun for users to interact with bots from the desktop. UiPath Assistant 21.4.4 suffers from a security vulnerability that stems from user control data provided to the --process-start parameter of the uipath-assistant://...

OS Command Injection in fabio286/antares

✍️ Description The application displays the connection error message returned by the server without removing the malicious tags, which leads to XSS attacks. https://imgur.com/3MhhvFp.png https://i.imgur.com/RksNgXF.png Being an application made in electron, an XSS can be scaled to RCE, making it...

Postbird 0.8.4 - Javascript Injection Exploit

Exploit Title: Postbird 0.8.4 - Javascript Injection Exploit Author: Debshubra Chakraborty Vendor Homepage: https://github.com/paxa/postbird Software Link: https://www.electronjs.org/apps/postbird Version: 0.8.4 Tested on: Linux CVE : CVE-2021-33570 """ XSS Payload LFI Payload PostgreSQL Password...

vulhub

It is an open-source collection of pre-built vulnerable docker environments. The repository contains a variety of vulnerable environments, including Flask SSTI, Apache Parsing Vulnerability, and more. The environments are designed to be easy to use, with simple installation and usage instructions...