Lucene search
K

20 matches found

OSV
OSV
added 2026/03/24 3:7 p.m.5 views

CVE-2026-33335 Vikunja Desktop allows arbitrary local application invocation via unvalidated shell.openExternal

Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper passes URLs from window.open calls directly to shell.openExternal without any validation or protocol allowlisting. An attacker who can place ...

6.4CVSS6AI score0.00248EPSS
Exploits1References4
RedhatCVE
RedhatCVE
added 2026/01/09 11:25 a.m.8 views

CVE-2021-28119

Twinkle Tray aka twinkle-tray through 1.13.3 allows remote command execution. A remote attacker may send a crafted IPC message to the exposed vulnerable ipcRenderer IPC interface, which invokes the dangerous openExternal API...

9.8CVSS7.2AI score0.03578EPSS
Exploits1References1
EUVD
EUVD
added 2025/10/07 12:30 a.m.5 views

EUVD-2021-14820

Malware in sbrugna...

9.8CVSS9.2AI score0.03578EPSS
Exploits1References2
EUVD
EUVD
added 2025/10/07 12:30 a.m.4 views

EUVD-2021-14833

Malware in sbrugna...

9.8CVSS9.2AI score0.05169EPSS
Exploits1References5
RedhatCVE
RedhatCVE
added 2025/05/22 7:33 p.m.7 views

CVE-2021-28134

Clipper before 1.0.5 allows remote command execution. A remote attacker may send a crafted IPC message to the exposed vulnerable ipcRenderer IPC interface, which invokes the dangerous openExternal API...

9.8CVSS7.2AI score0.05169EPSS
Exploits1References1
Snyk
Snyk
added 2024/11/25 7:45 p.m.4 views

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection due to the improper handling of URI schemes in the openExternal function. Note: This is exploitable only for Windows environments. Remediation Upgrade @joplin/utils to version 2.14.1 or higher. References - GitH...

8.8CVSS5.6AI score0.00749EPSS
Exploits1References2
Snyk
Snyk
added 2024/11/25 7:45 p.m.4 views

Arbitrary Code Injection

Overview @joplin/lib is a joplin core library. Affected versions of this package are vulnerable to Arbitrary Code Injection due to the improper handling of URI schemes in the openExternal function. Note: This is exploitable only for Windows environments. Remediation Upgrade @joplin/lib to version...

8.8CVSS5.6AI score0.00749EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2024/11/25 7:22 p.m.12 views

CVE-2024-53268 Lack of validation on openExternal allows 1 click remote code execution in joplin

Joplin is an open source, privacy-focused note taking app with sync capabilities for Windows, macOS, Linux, Android and iOS. In affected versions attackers are able to abuse the fact that openExternal is used without any filtering of URI schemes to obtain remote code execution in Windows...

7.2CVSS7.5AI score0.00749EPSS
Exploits1References1
Cvelist
Cvelist
added 2024/11/25 7:22 p.m.25 views

CVE-2024-53268 Lack of validation on openExternal allows 1 click remote code execution in joplin

Joplin is an open source, privacy-focused note taking app with sync capabilities for Windows, macOS, Linux, Android and iOS. In affected versions attackers are able to abuse the fact that openExternal is used without any filtering of URI schemes to obtain remote code execution in Windows...

7.2CVSS0.00749EPSS
Exploits1References1
CNNVD
CNNVD
added 2024/11/04 12:0 a.m.3 views

Bruno 安全漏洞

Bruno is an open source IDE for exploring and testing Api from usebruno open source. A security vulnerability exists in Bruno version 1.29.1, which stems from Bruno's use of Electron shell.openExternal to open windows in the Markdown document viewer with no authentication...

6.5CVSS6.5AI score0.00623EPSS
Exploits3References4
Vulnrichment
Vulnrichment
added 2023/12/15 1:44 p.m.16 views

CVE-2023-46116 Remote Code Execution via insufficiently sanitized call to shell.openExternal

Tutanota Tuta Mail is an encrypted email provider. Tutanota allows users to open links in emails in external applications. Prior to version 3.118.12, it correctly blocks the file: URL scheme, which can be used by malicious actors to gain code execution on a victims computer, however fails to chec...

9.3CVSS7.6AI score0.01258EPSS
Exploits1References5
NVD
NVD
added 2021/09/17 10:15 p.m.15 views

CVE-2021-41392

static/main-preload.js in Boost Note through 0.22.0 allows remote command execution. A remote attacker may send a crafted IPC message to the exposed vulnerable ipcRenderer IPC interface, which invokes the dangerous openExternal Electron API...

9.8CVSS0.02676EPSS
Exploits1References1
Prion
Prion
added 2021/09/17 10:15 p.m.17 views

Command injection

static/main-preload.js in Boost Note through 0.22.0 allows remote command execution. A remote attacker may send a crafted IPC message to the exposed vulnerable ipcRenderer IPC interface, which invokes the dangerous openExternal Electron API...

7.5CVSS9.4AI score0.02676EPSS
Exploits1References1Affected Software1
NVD
NVD
added 2021/03/11 12:15 a.m.16 views

CVE-2021-28134

Clipper before 1.0.5 allows remote command execution. A remote attacker may send a crafted IPC message to the exposed vulnerable ipcRenderer IPC interface, which invokes the dangerous openExternal API...

9.8CVSS0.05169EPSS
Exploits1References4
Prion
Prion
added 2021/03/11 12:15 a.m.18 views

Command injection

Clipper before 1.0.5 allows remote command execution. A remote attacker may send a crafted IPC message to the exposed vulnerable ipcRenderer IPC interface, which invokes the dangerous openExternal API...

7.5CVSS9.4AI score0.05169EPSS
Exploits1References4Affected Software1
Cvelist
Cvelist
added 2021/03/11 12:0 a.m.19 views

CVE-2021-28134

Clipper before 1.0.5 allows remote command execution. A remote attacker may send a crafted IPC message to the exposed vulnerable ipcRenderer IPC interface, which invokes the dangerous openExternal API...

9.7AI score0.05169EPSS
Exploits1References4
NVD
NVD
added 2021/03/09 11:15 p.m.32 views

CVE-2021-28119

Twinkle Tray aka twinkle-tray through 1.13.3 allows remote command execution. A remote attacker may send a crafted IPC message to the exposed vulnerable ipcRenderer IPC interface, which invokes the dangerous openExternal API...

9.8CVSS0.03578EPSS
Exploits1References1
Prion
Prion
added 2021/03/09 11:15 p.m.17 views

Command injection

Twinkle Tray aka twinkle-tray through 1.13.3 allows remote command execution. A remote attacker may send a crafted IPC message to the exposed vulnerable ipcRenderer IPC interface, which invokes the dangerous openExternal API...

7.5CVSS9.4AI score0.03578EPSS
Exploits1References1Affected Software1
Cvelist
Cvelist
added 2021/03/09 10:14 p.m.36 views

CVE-2021-28119

Twinkle Tray aka twinkle-tray through 1.13.3 allows remote command execution. A remote attacker may send a crafted IPC message to the exposed vulnerable ipcRenderer IPC interface, which invokes the dangerous openExternal API...

9.7AI score0.03578EPSS
Exploits1References1
CVE
CVE
added 2021/03/09 10:14 p.m.59 views

CVE-2021-28119

Twinkle Tray (twinkle-tray) up to version 1.13.3 is affected. A remote attacker can trigger remote command execution by sending a crafted IPC message to the exposed ipcRenderer IPC interface, which invokes the dangerous openExternal API. The issue is documented across multiple sources (NVD, Red H...

9.8CVSS9.5AI score0.03578EPSS
Exploits1References1Affected Software1
Rows per page
Query Builder