pkg:npm/electron

All known vulnerabilities

• CRITICAL9.6CVE-2022-4135⚠ KEVchromium - security update
  >= 19.0.0, < 19.1.8
• HIGH8.8CVE-2023-5217⚠ KEVlibvpx - security update
  from 0, < 22.3.25
• HIGH8.8⚠ KEVthunderbird - security update
  >= 22.0.0, < 22.3.24
• CRITICAL9.8Chromium Remote Code Execution in electron
  from 0, < 1.6.14
• HIGH8.8Electron protocol handler browser vulnerable to Command Injection
  from 0, < 1.8.2-beta5
• HIGH8.8Remote Code Execution in electron
  >= 1.7.0, < 1.7.11
• HIGH8.3Electron: Context Isolation bypass via contextBridge VideoFrame transfer
  >= 39.0.0-alpha.1, < 39.8.0
• HIGH8.1Electron: Use-after-free in offscreen child window paint callback
  from 0, < 39.8.1
• HIGH8.1Electron vulnerable to remote command execution
  from 0, < 1.6.8
• HIGH8.1Electron webPreferences vulnerability can be used to perform remote code execution
  >= 1.7.0, < 1.7.16
• HIGH8.1Electron Vulnerable to Code Execution by Re-Enabling Node.js Integration
  >= 1.7.0, < 1.7.13
• HIGH7.8electron ASAR Integrity bypass by just modifying the content
  >= 30.0.0-alpha.1, < 30.0.5
• HIGH7.8Context isolation bypass via leaked cross-context objects in Electron
  from 0, < 7.2.4
• HIGH7.8High severity vulnerability that affects electron
  from 0, < 0.33.5
• HIGH7.7Electron: Renderer command-line switch injection via undocumented commandLineSwitches webPreference
  from 0, < 38.8.6
• HIGH7.7Context isolation bypass via contextBridge in Electron
  from 0, < 7.2.4
• HIGH7.5Electron: Use-after-free in WebContents fullscreen, pointer-lock, and keyboard-lock permission callbacks
  from 0, < 38.8.6
• HIGH7.5Electron's Content-Secrity-Policy disabling eval not applied consistently in renderers with sandbox disabled
  >= 22.0.0-beta.1, < 22.0.1
• HIGH7.5Unpreventable top-level navigation
  >= 8.0.0-beta.0, < 8.5.1
• HIGH7.0Electron: Use-after-free in PowerMonitor on Windows and macOS
  from 0, < 38.8.6
• MEDIUM6.8Electron: nodeIntegrationInWorker not correctly scoped in shared renderer processes
  from 0, < 38.8.6
• MEDIUM6.8Electron's sandboxed renderers can obtain thumbnails of arbitrary files through the nativeImage API
  from 0, < 11.5.0
• MEDIUM6.8Arbitrary file read via window-open IPC in Electron
  from 0, < 7.2.4
• MEDIUM6.8Context isolation bypass via Promise in Electron
  from 0, < 6.1.11
• MEDIUM6.6AutoUpdater module fails to validate certain nested components of the bundle
  from 0, < 15.5.0
• MEDIUM6.5Electron: AppleScript injection in app.moveToApplicationsFolder on macOS
  from 0, < 38.8.6
• MEDIUM6.1Electron has ASAR Integrity Bypass via resource modification
  from 0, < 35.7.5
• MEDIUM6.1ASAR Integrity bypass via filetype confusion in electron
  from 0, < 22.3.24
• MEDIUM6.1Electron vulnerable to out-of-package code execution when launched with arbitrary cwd
  from 0, < 22.3.19
• MEDIUM6.0Electron: Named window.open targets not scoped to the opener's browsing context
  from 0, < 39.8.5
• MEDIUM6.0Electron context isolation bypass via nested unserializable return value
  from 0, < 22.3.6
• MEDIUM5.9Electron: Service worker can spoof executeJavaScript IPC replies
  from 0, < 38.8.6
• MEDIUM5.9Electron: HTTP Response Header Injection in custom protocol handlers and webRequest
  from 0, < 38.8.6
• MEDIUM5.8Electron: Use-after-free in download save dialog callback
  from 0, < 38.8.6
• MEDIUM5.6Context isolation bypass in Electron
  >= 8.0.0-beta.0, < 8.5.2
• MEDIUM5.4Electron: Incorrect origin passed to permission request handler for iframe requests
  from 0, < 38.8.6
• MEDIUM5.4Exfiltration of hashed SMB credentials on Windows via file:// redirect
  from 0, < 18.3.7
• MEDIUM5.4IPC messages delivered to the wrong frame in Electron
  from 0, < 9.4.0
• MEDIUM5.3Electron: Out-of-bounds read in second-instance IPC on macOS and Linux
  from 0, < 38.8.6
• MEDIUM4.7Electron: Registry key path injection in app.setAsDefaultProtocolClient on Windows
  from 0, < 38.8.6
• MEDIUM4.3Electron vulnerable to URL spoofing via PDFium
  >= 1.7.0, < 1.7.6
• LOW3.9Electron: Unquoted executable path in app.setLoginItemSettings on Windows
  from 0, < 38.8.6
• LOW3.4Renderers can obtain access to random bluetooth device without permission in Electron
  from 0, < 13.6.6
• LOW3.3Electron: USB device selection not validated against filtered device list
  from 0, < 38.8.6
• LOW2.8Electron: Crash in clipboard.readImage() on malformed clipboard image data
  from 0, < 39.8.5
• LOW2.3Electron: Use-after-free in offscreen shared texture release() callback
  >= 33.0.0-alpha.1, < 39.8.5
• LOW2.2Compromised child renderer processes could obtain IPC access without nodeIntegrationInSubFrames being enabled
  from 0, < 15.5.5
• —Electron vulnerable to Heap Buffer Overflow in NativeImage
  from 0, < 28.3.2