CVE-2025-54871

Electron Capture facilitates video playback for screen-sharing and capture. In versions 2.19.1 and below, the elecap app on macOS allows local unprivileged users to bypass macOS TCC privacy protections by enabling ELECTRONRUNASNODE. This environment variable allows arbitrary Node.js code to be...

CVE-2025-54871 Electron Capture is Vulnerable to TCC Bypass via Misconfigured Node Fuses (macOS)

Electron Capture facilitates video playback for screen-sharing and capture. In versions 2.19.1 and below, the elecap app on macOS allows local unprivileged users to bypass macOS TCC privacy protections by enabling ELECTRONRUNASNODE. This environment variable allows arbitrary Node.js code to be...

CVE-2025-54871

CVE-2025-54871 affects Electron Capture (elecap) on macOS. Versions 2.19.1 and earlier expose a TCC bypass: enabling the ELECTRON_RUN_AS_NODE environment variable allows arbitrary Node.js code to run via the -e flag inside the main Electron context, inheriting existing TCC entitlements (e.g., acc...

CVE-2018-18524

Evernote 6.15 on Windows has an incorrectly repaired stored XSS vulnerability. An attacker can use this XSS issue to inject Node.js code under Present mode. After a victim opens an affected note under Present mode, the attacker can read the victim's files and achieve remote execution command on t...

Code injection in @rkesters/gnuplot

@rkesters/gnuplot is an easy to use node module to draw charts using gnuplot and ps2pdf. The gnuplot package prior to version 0.1.0 for Node.js allows code execution via shell metacharacters in Gnuplot commands...

PortSwigger Web Security: RCE in 'Copy as Node Request' BApp via code injection

Description Copy as Node Request is a burp suite extension that allows users to copy requests as Node.js code. Due to improper sanitization of cookie, it's possible to inject arbitrary Node.js code in copied text, which may lead remote code execution with a significant amount of user interaction...