Electron Security Vulnerabilities and Issues — Electron CVE List

Lucene search

ElectronjsElectron

20 matches found

CVE•added 2023/09/06 9:15 p.m.•2569 views

CVE-2023-29198

Electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Electron apps using contextIsolation and contextBridge are affected. This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach int...

8.5CVSS6.9AI score0.00148EPSS

CVE•added 2022/06/13 9:15 p.m.•484 views

CVE-2022-29247

Electron is a framework for writing cross-platform desktop applications using JavaScript (JS), HTML, and CSS. A vulnerability in versions prior to 18.0.0-beta.6, 17.2.0, 16.2.6, and 15.5.5 allows a renderer with JS execution to obtain access to a new renderer process with nodeIntegrationInSubFrames...

9.8CVSS6.5AI score0.00388EPSS

CVE•added 2023/09/06 9:15 p.m.•446 views

CVE-2023-39956

Electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Electron apps that are launched as command line executables are impacted. Specifically this issue can only be exploited if the following conditions are met: 1. The app is launched with a...

6.6CVSS6.7AI score0.00027EPSS

CVE•added 2023/09/06 9:15 p.m.•119 views

CVE-2023-23623

Electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. A Content-Security-Policy that disables eval, specifically setting a script-src directive and not providing unsafe-eval in that directive, is not respected in renderers that have sandbox...

9.8CVSS8.7AI score0.00501EPSS

CVE•added 2022/03/22 5:15 p.m.•114 views

CVE-2022-21718

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to 17.0.0-alpha.6, 16.0.6, 15.3.5, 14.2.4, and 13.6.6 allows renderers to obtain access to a bluetooth device via the web bluetooth API if the app has not config...

5CVSS4.4AI score0.00887EPSS

CVE•added 2022/06/13 10:15 p.m.•74 views

CVE-2022-29257

Electron is a framework for writing cross-platform desktop applications using JavaScript (JS), HTML, and CSS. A vulnerability in versions prior to 18.0.0-beta.6, 17.2.0, 16.2.6, and 15.5.5 allows attackers who have control over a given apps update server / update storage to serve maliciously crafte...

7.2CVSS6.7AI score0.00413EPSS

CVE•added 2020/10/06 6:15 p.m.•66 views

CVE-2020-15174

In Electron before versions 11.0.0-beta.1, 10.0.1, 9.3.0 or 8.5.1 the will-navigate event that apps use to prevent navigations to unexpected destinations as per our security recommendations can be bypassed when a sub-frame performs a top-frame navigation across sites. The issue is patched in versio...

7.5CVSS7.4AI score0.00189EPSS

CVE•added 2018/08/23 5:29 a.m.•56 views

CVE-2018-15685

GitHub Electron 1.7.15, 1.8.7, 2.0.7, and 3.0.0-beta.6, in certain scenarios involving IFRAME elements and "nativeWindowOpen: true" or "sandbox: true" options, is affected by a WebPreferences vulnerability that can be leveraged to perform remote code execution.

8.1CVSS8.2AI score0.13253EPSS

CVE•added 2022/11/08 7:15 a.m.•56 views

CVE-2022-36077

The Electron framework enables writing cross-platform desktop applications using JavaScript, HTML and CSS. In versions prior to 21.0.0-beta.1, 20.0.1, 19.0.11, and 18.3.7, Electron is vulnerable to Exposure of Sensitive Information. When following a redirect, Electron delays a check for redirecting...

7.2CVSS6.2AI score0.00075EPSS

CVE•added 2018/03/23 7:29 p.m.•53 views

CVE-2018-1000136

Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3 contains an improper handling of values vulnerability in Webviews that can result in remote code execution. This attack appear to be exploitable via an app which allows execution of 3rd party code AND disallows node int...

8.1CVSS8.4AI score0.01856EPSS

CVE•added 2020/07/07 12:15 a.m.•52 views

CVE-2020-4076

In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using contextIsolation are affected. This is fixed in versions 9....

9CVSS8.3AI score0.00075EPSS

CVE•added 2018/03/07 2:29 p.m.•45 views

CVE-2018-1000118

Github Electron version Electron 1.8.2-beta.4 and earlier contains a Command Injection vulnerability in Protocol Handler that can result in command execute. This attack appear to be exploitable via the victim opening an electron protocol handler in their browser. This vulnerability appears to have ...

9.3CVSS8.9AI score0.93156EPSS

CVE•added 2020/07/07 12:15 a.m.•45 views

CVE-2020-15096

In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using "contextIsolation" are affected. There ...

6.8CVSS6.4AI score0.00237EPSS

CVE•added 2020/10/06 6:15 p.m.•44 views

CVE-2020-15215

Electron before versions 11.0.0-beta.6, 10.1.2, 9.3.1 or 8.5.2 is vulnerable to a context isolation bypass. Apps using both contextIsolation and sandbox: true are affected. Apps using both contextIsolation and nodeIntegrationInSubFrames: true are affected. This is a context isolation bypass, meanin...

6.8CVSS5.4AI score0.00282EPSS

CVE•added 2021/10/12 7:15 p.m.•44 views

CVE-2021-39184

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to 11.5.0, 12.1.0, and 13.3.0 allows a sandboxed renderer to request a "thumbnail" image of an arbitrary file on the user's system. The thumbnail can potentially...

8.6CVSS7.5AI score0.00366EPSS

CVE•added 2018/06/07 2:29 a.m.•42 views

CVE-2017-16151

Based on details posted by the ElectronJS team; A remote code execution vulnerability has been discovered in Google Chromium that affects all recent versions of Electron. Any Electron app that accesses remote content is vulnerable to this exploit, regardless of whether the sandbox option is enabled...

9.8CVSS9.6AI score0.02845EPSS

CVE•added 2020/07/07 12:15 a.m.•40 views

CVE-2020-4077

In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using both contextIsolation and contextBridge are affected. This ...

9.9CVSS8.5AI score0.00436EPSS

CVE•added 2020/07/07 12:15 a.m.•38 views

CVE-2020-4075

In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, arbitrary local file read is possible by defining unsafe window options on a child window opened via window.open. As a workaround, ensure you are calling event.preventDefault() on all new-window events where the url or options is not somet...

7.5CVSS6.8AI score0.00264EPSS

CVE•added 2023/12/01 10:15 p.m.•38 views

CVE-2023-44402

Electron is an open source framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. This only impacts apps that have the embeddedAsarIntegrityValidation and onlyLoadAppFromAsar fuses enabled. Apps without these fuses enabled are not impacted. This issue is specific ...

7CVSS6.2AI score0.00115EPSS

CVE•added 2021/01/28 7:15 p.m.•37 views

CVE-2020-26272

The Electron framework lets users write cross-platform desktop applications using JavaScript, HTML and CSS. In versions of Electron IPC prior to 9.4.0, 10.2.0, 11.1.0, and 12.0.0-beta.9, messages sent from the main process to a subframe in the renderer process, through webContents.sendToFrame, even...

6.5CVSS5.8AI score0.00965EPSS