CVE-2026-42045

CVE-2026-42045 affects LobeHub/LobeChat prior to version 2.1.48. The issue combines a client‑side XSS in the Render path (Renderer defaulting to HTMLRenderer for unknown tags) with an insecure IPC interface runCommand in the Electron main process. An attacker who can induce the LLM to emit malici...

GHSA-XQ4X-622M-Q8FQ LobeHub has a Cross-Site Scripting issue that escalates to Remote Code Execution

Summary The vulnerability was automatically discovered by an ai agent and then manually verified. LobeChat's message rendering mechanism has a stored cross-site scripting XSS vulnerability. Combined with the Electron main process's exposed insecure IPC interface, attackers can construct malicious...

CVE-2026-34778

A flaw was found in Electron, a framework for building desktop applications. A service worker running in a session could spoof reply messages on the internal Inter-Process Communication IPC channel. This vulnerability affects applications that have service workers registered and use the results o...

CVE-2026-34778

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0, a service worker running in a session could spoof reply messages on the internal IPC channel used by webContents.executeJavaScript and...

GHSA-XJ5X-M3F3-5X3H Electron: Service worker can spoof executeJavaScript IPC replies

Impact A service worker running in a session could spoof reply messages on the internal IPC channel used by webContents.executeJavaScript and related methods, causing the main-process promise to resolve with attacker-controlled data. Apps are only affected if they have service workers registered...

PT-2026-30008

Impact A service worker running in a session could spoof reply messages on the internal IPC channel used by webContents.executeJavaScript and related methods, causing the main-process promise to resolve with attacker-controlled data. Apps are only affected if they have service workers registered...

Internet Bug Bounty: Disabling context isolation, nodeIntegrationInSubFrames using an unauthorised frame.

Details can be found in the following github advisory: https://github.com/electron/electron/security/advisories/GHSA-mq8j-3h7h-p8g7 Impact Using a renderer exploit, context isolation and nodeIntegrationInSubFrames can be disabled, which enables an attacker to leak IPC module and communicate with...

The vulnerability of the OpenVPN Connect software lies in its shortcomings regarding system library calls. This allows a hacker to execute arbitrary code with the same level of privileges as the main OpenVPN process.

The vulnerability of the OpenVPN Connect software is related to deficiencies in the mechanism for calling system libraries. Exploiting this vulnerability allows an attacker to execute arbitrary code with the same level of privileges as the main OpenVPN process, using the OpenSSL configuration fil...

UBUNTU-CVE-2020-26566

A Denial of Service condition in Motion-Project Motion 3.2 through 4.3.1 allows remote unauthenticated users to cause a webu.c segmentation fault and kill the main process via a crafted HTTP request...

CVE-2019-9818

A race condition is present in the crash generation server used to generate data for the crash reporter. This issue can lead to a use-after-free in the main process, resulting in a potentially exploitable crash and a sandbox escape. Note: this vulnerability only affects Windows. Other operating...

CVE-2019-9818

A race condition is present in the crash generation server used to generate data for the crash reporter. This issue can lead to a use-after-free in the main process, resulting in a potentially exploitable crash and a sandbox escape. Note: this vulnerability only affects Windows. Other operating...