| 0 |
|
| 1 |
| url |
VCID-2tjw-wwpp-57ac |
| vulnerability_id |
VCID-2tjw-wwpp-57ac |
| summary |
Improper Control of Generation of Code ('Code Injection')
Electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Electron apps that are launched as command line executables are impacted. Specifically this issue can only be exploited if the following conditions are met: 1. The app is launched with an attacker-controlled working directory and 2. The attacker has the ability to write files to that working directory. This makes the risk quite low, in fact normally issues of this kind are considered outside of our threat model as similar to Chromium we exclude Physically Local Attacks but given the ability for this issue to bypass certain protections like ASAR Integrity it is being treated with higher importance. This issue has been fixed in versions:`26.0.0-beta.13`, `25.4.1`, `24.7.1`, `23.3.13`, and `22.3.19`. There are no app side workarounds, users must update to a patched version of Electron. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/electron@24.7.1 |
| purl |
pkg:npm/electron@24.7.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2kk5-3p41-kycs |
|
| 1 |
| vulnerability |
VCID-3wxh-7cvs-g3et |
|
| 2 |
| vulnerability |
VCID-4u89-87dg-zqdt |
|
| 3 |
| vulnerability |
VCID-5cmc-cnnq-xyhw |
|
| 4 |
| vulnerability |
VCID-5w4g-q3st-m7hf |
|
| 5 |
| vulnerability |
VCID-6vad-u5vg-dba5 |
|
| 6 |
| vulnerability |
VCID-7c28-bmu2-qbcs |
|
| 7 |
| vulnerability |
VCID-de1j-4qwd-duab |
|
| 8 |
| vulnerability |
VCID-df1y-n1s8-x3g4 |
|
| 9 |
| vulnerability |
VCID-egxx-avtf-ekah |
|
| 10 |
| vulnerability |
VCID-ghpk-c1e6-pkae |
|
| 11 |
| vulnerability |
VCID-hzte-vg4j-cbgt |
|
| 12 |
| vulnerability |
VCID-j8e6-q6j5-tyf8 |
|
| 13 |
| vulnerability |
VCID-k669-cacz-9fcd |
|
| 14 |
| vulnerability |
VCID-p1m4-3gu6-zffw |
|
| 15 |
| vulnerability |
VCID-pjqf-nps2-7yhc |
|
| 16 |
| vulnerability |
VCID-qs5f-9ftk-fben |
|
| 17 |
| vulnerability |
VCID-t1uc-59dn-j3gd |
|
| 18 |
| vulnerability |
VCID-wfx6-9nh3-quar |
|
| 19 |
| vulnerability |
VCID-x7he-eg8d-g7hj |
|
| 20 |
| vulnerability |
VCID-zzcf-uus6-rqa8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/electron@24.7.1 |
|
| 1 |
| url |
pkg:npm/electron@25.5.0 |
| purl |
pkg:npm/electron@25.5.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2kk5-3p41-kycs |
|
| 1 |
| vulnerability |
VCID-3wxh-7cvs-g3et |
|
| 2 |
| vulnerability |
VCID-4u89-87dg-zqdt |
|
| 3 |
| vulnerability |
VCID-5cmc-cnnq-xyhw |
|
| 4 |
| vulnerability |
VCID-5w4g-q3st-m7hf |
|
| 5 |
| vulnerability |
VCID-6vad-u5vg-dba5 |
|
| 6 |
| vulnerability |
VCID-7c28-bmu2-qbcs |
|
| 7 |
| vulnerability |
VCID-de1j-4qwd-duab |
|
| 8 |
| vulnerability |
VCID-df1y-n1s8-x3g4 |
|
| 9 |
| vulnerability |
VCID-egxx-avtf-ekah |
|
| 10 |
| vulnerability |
VCID-ghpk-c1e6-pkae |
|
| 11 |
| vulnerability |
VCID-hzte-vg4j-cbgt |
|
| 12 |
| vulnerability |
VCID-j8e6-q6j5-tyf8 |
|
| 13 |
| vulnerability |
VCID-k669-cacz-9fcd |
|
| 14 |
| vulnerability |
VCID-p1m4-3gu6-zffw |
|
| 15 |
| vulnerability |
VCID-pjqf-nps2-7yhc |
|
| 16 |
| vulnerability |
VCID-qs5f-9ftk-fben |
|
| 17 |
| vulnerability |
VCID-t1uc-59dn-j3gd |
|
| 18 |
| vulnerability |
VCID-wfx6-9nh3-quar |
|
| 19 |
| vulnerability |
VCID-x7he-eg8d-g7hj |
|
| 20 |
| vulnerability |
VCID-zzcf-uus6-rqa8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/electron@25.5.0 |
|
| 2 |
|
| 3 |
| url |
pkg:npm/electron@26.0.0 |
| purl |
pkg:npm/electron@26.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2kk5-3p41-kycs |
|
| 1 |
| vulnerability |
VCID-3wxh-7cvs-g3et |
|
| 2 |
| vulnerability |
VCID-4u89-87dg-zqdt |
|
| 3 |
| vulnerability |
VCID-5cmc-cnnq-xyhw |
|
| 4 |
| vulnerability |
VCID-5w4g-q3st-m7hf |
|
| 5 |
| vulnerability |
VCID-6vad-u5vg-dba5 |
|
| 6 |
| vulnerability |
VCID-7c28-bmu2-qbcs |
|
| 7 |
| vulnerability |
VCID-de1j-4qwd-duab |
|
| 8 |
| vulnerability |
VCID-df1y-n1s8-x3g4 |
|
| 9 |
| vulnerability |
VCID-egxx-avtf-ekah |
|
| 10 |
| vulnerability |
VCID-ghpk-c1e6-pkae |
|
| 11 |
| vulnerability |
VCID-hzte-vg4j-cbgt |
|
| 12 |
| vulnerability |
VCID-j8e6-q6j5-tyf8 |
|
| 13 |
| vulnerability |
VCID-k669-cacz-9fcd |
|
| 14 |
| vulnerability |
VCID-p1m4-3gu6-zffw |
|
| 15 |
| vulnerability |
VCID-pjqf-nps2-7yhc |
|
| 16 |
| vulnerability |
VCID-qs5f-9ftk-fben |
|
| 17 |
| vulnerability |
VCID-t1uc-59dn-j3gd |
|
| 18 |
| vulnerability |
VCID-wfx6-9nh3-quar |
|
| 19 |
| vulnerability |
VCID-x7he-eg8d-g7hj |
|
| 20 |
| vulnerability |
VCID-zzcf-uus6-rqa8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/electron@26.0.0 |
|
|
| aliases |
CVE-2023-39956, GHSA-7x97-j373-85x5
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2tjw-wwpp-57ac |
|
| 2 |
| url |
VCID-3wxh-7cvs-g3et |
| vulnerability_id |
VCID-3wxh-7cvs-g3et |
| summary |
Electron: Electron: Arbitrary code execution and security bypass via undocumented command-line switches |
| references |
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:npm/electron@39.8.0 |
| purl |
pkg:npm/electron@39.8.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2kk5-3p41-kycs |
|
| 1 |
| vulnerability |
VCID-4u89-87dg-zqdt |
|
| 2 |
| vulnerability |
VCID-5cmc-cnnq-xyhw |
|
| 3 |
| vulnerability |
VCID-5w4g-q3st-m7hf |
|
| 4 |
| vulnerability |
VCID-egxx-avtf-ekah |
|
| 5 |
| vulnerability |
VCID-j8e6-q6j5-tyf8 |
|
| 6 |
| vulnerability |
VCID-jy1k-8gy7-pkb7 |
|
| 7 |
| vulnerability |
VCID-p1m4-3gu6-zffw |
|
| 8 |
| vulnerability |
VCID-pjqf-nps2-7yhc |
|
| 9 |
| vulnerability |
VCID-qs5f-9ftk-fben |
|
| 10 |
| vulnerability |
VCID-t1uc-59dn-j3gd |
|
| 11 |
| vulnerability |
VCID-wfx6-9nh3-quar |
|
| 12 |
| vulnerability |
VCID-x7he-eg8d-g7hj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/electron@39.8.0 |
|
| 2 |
| url |
pkg:npm/electron@40.7.0 |
| purl |
pkg:npm/electron@40.7.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2kk5-3p41-kycs |
|
| 1 |
| vulnerability |
VCID-4u89-87dg-zqdt |
|
| 2 |
| vulnerability |
VCID-5cmc-cnnq-xyhw |
|
| 3 |
| vulnerability |
VCID-egxx-avtf-ekah |
|
| 4 |
| vulnerability |
VCID-j8e6-q6j5-tyf8 |
|
| 5 |
| vulnerability |
VCID-jy1k-8gy7-pkb7 |
|
| 6 |
| vulnerability |
VCID-p1m4-3gu6-zffw |
|
| 7 |
| vulnerability |
VCID-pjqf-nps2-7yhc |
|
| 8 |
| vulnerability |
VCID-qs5f-9ftk-fben |
|
| 9 |
| vulnerability |
VCID-t1uc-59dn-j3gd |
|
| 10 |
| vulnerability |
VCID-wfx6-9nh3-quar |
|
| 11 |
| vulnerability |
VCID-x7he-eg8d-g7hj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/electron@40.7.0 |
|
| 3 |
|
|
| aliases |
CVE-2026-34769, GHSA-9wfr-w7mm-pc7f
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3wxh-7cvs-g3et |
|
| 3 |
|
| 4 |
|
| 5 |
| url |
VCID-5w4g-q3st-m7hf |
| vulnerability_id |
VCID-5w4g-q3st-m7hf |
| summary |
Electron: Electron: Memory corruption and crash due to use-after-free in offscreen rendering |
| references |
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:npm/electron@40.7.0 |
| purl |
pkg:npm/electron@40.7.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2kk5-3p41-kycs |
|
| 1 |
| vulnerability |
VCID-4u89-87dg-zqdt |
|
| 2 |
| vulnerability |
VCID-5cmc-cnnq-xyhw |
|
| 3 |
| vulnerability |
VCID-egxx-avtf-ekah |
|
| 4 |
| vulnerability |
VCID-j8e6-q6j5-tyf8 |
|
| 5 |
| vulnerability |
VCID-jy1k-8gy7-pkb7 |
|
| 6 |
| vulnerability |
VCID-p1m4-3gu6-zffw |
|
| 7 |
| vulnerability |
VCID-pjqf-nps2-7yhc |
|
| 8 |
| vulnerability |
VCID-qs5f-9ftk-fben |
|
| 9 |
| vulnerability |
VCID-t1uc-59dn-j3gd |
|
| 10 |
| vulnerability |
VCID-wfx6-9nh3-quar |
|
| 11 |
| vulnerability |
VCID-x7he-eg8d-g7hj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/electron@40.7.0 |
|
| 2 |
|
|
| aliases |
CVE-2026-34774, GHSA-532v-xpq5-8h95
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5w4g-q3st-m7hf |
|
| 6 |
| url |
VCID-6vad-u5vg-dba5 |
| vulnerability_id |
VCID-6vad-u5vg-dba5 |
| summary |
Electron: Electron: Unauthorized USB device access via select-usb-device event callback validation bypass |
| references |
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:npm/electron@39.8.0 |
| purl |
pkg:npm/electron@39.8.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2kk5-3p41-kycs |
|
| 1 |
| vulnerability |
VCID-4u89-87dg-zqdt |
|
| 2 |
| vulnerability |
VCID-5cmc-cnnq-xyhw |
|
| 3 |
| vulnerability |
VCID-5w4g-q3st-m7hf |
|
| 4 |
| vulnerability |
VCID-egxx-avtf-ekah |
|
| 5 |
| vulnerability |
VCID-j8e6-q6j5-tyf8 |
|
| 6 |
| vulnerability |
VCID-jy1k-8gy7-pkb7 |
|
| 7 |
| vulnerability |
VCID-p1m4-3gu6-zffw |
|
| 8 |
| vulnerability |
VCID-pjqf-nps2-7yhc |
|
| 9 |
| vulnerability |
VCID-qs5f-9ftk-fben |
|
| 10 |
| vulnerability |
VCID-t1uc-59dn-j3gd |
|
| 11 |
| vulnerability |
VCID-wfx6-9nh3-quar |
|
| 12 |
| vulnerability |
VCID-x7he-eg8d-g7hj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/electron@39.8.0 |
|
| 2 |
| url |
pkg:npm/electron@40.7.0 |
| purl |
pkg:npm/electron@40.7.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2kk5-3p41-kycs |
|
| 1 |
| vulnerability |
VCID-4u89-87dg-zqdt |
|
| 2 |
| vulnerability |
VCID-5cmc-cnnq-xyhw |
|
| 3 |
| vulnerability |
VCID-egxx-avtf-ekah |
|
| 4 |
| vulnerability |
VCID-j8e6-q6j5-tyf8 |
|
| 5 |
| vulnerability |
VCID-jy1k-8gy7-pkb7 |
|
| 6 |
| vulnerability |
VCID-p1m4-3gu6-zffw |
|
| 7 |
| vulnerability |
VCID-pjqf-nps2-7yhc |
|
| 8 |
| vulnerability |
VCID-qs5f-9ftk-fben |
|
| 9 |
| vulnerability |
VCID-t1uc-59dn-j3gd |
|
| 10 |
| vulnerability |
VCID-wfx6-9nh3-quar |
|
| 11 |
| vulnerability |
VCID-x7he-eg8d-g7hj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/electron@40.7.0 |
|
| 3 |
|
|
| aliases |
CVE-2026-34766, GHSA-9899-m83m-qhpj
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6vad-u5vg-dba5 |
|
| 7 |
| url |
VCID-73qk-x8vr-sfdp |
| vulnerability_id |
VCID-73qk-x8vr-sfdp |
| summary |
Improper Check for Unusual or Exceptional Conditions
Electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Electron apps using `contextIsolation` and `contextBridge` are affected. This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. This issue is only exploitable if an API exposed to the main world via `contextBridge` can return an object or array that contains a javascript object which cannot be serialized, for instance, a canvas rendering context. This would normally result in an exception being thrown `Error: object could not be cloned`. The app side workaround is to ensure that such a case is not possible. Ensure all values returned from a function exposed over the context bridge are supported. This issue has been fixed in versions `25.0.0-alpha.2`, `24.0.1`, `23.2.3`, and `22.3.6`. |
| references |
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:npm/electron@24.1.0 |
| purl |
pkg:npm/electron@24.1.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2kk5-3p41-kycs |
|
| 1 |
| vulnerability |
VCID-2tjw-wwpp-57ac |
|
| 2 |
| vulnerability |
VCID-3wxh-7cvs-g3et |
|
| 3 |
| vulnerability |
VCID-4u89-87dg-zqdt |
|
| 4 |
| vulnerability |
VCID-5cmc-cnnq-xyhw |
|
| 5 |
| vulnerability |
VCID-5w4g-q3st-m7hf |
|
| 6 |
| vulnerability |
VCID-6vad-u5vg-dba5 |
|
| 7 |
| vulnerability |
VCID-7c28-bmu2-qbcs |
|
| 8 |
| vulnerability |
VCID-de1j-4qwd-duab |
|
| 9 |
| vulnerability |
VCID-df1y-n1s8-x3g4 |
|
| 10 |
| vulnerability |
VCID-egxx-avtf-ekah |
|
| 11 |
| vulnerability |
VCID-ghpk-c1e6-pkae |
|
| 12 |
| vulnerability |
VCID-hzte-vg4j-cbgt |
|
| 13 |
| vulnerability |
VCID-j8e6-q6j5-tyf8 |
|
| 14 |
| vulnerability |
VCID-k669-cacz-9fcd |
|
| 15 |
| vulnerability |
VCID-p1m4-3gu6-zffw |
|
| 16 |
| vulnerability |
VCID-pjqf-nps2-7yhc |
|
| 17 |
| vulnerability |
VCID-qs5f-9ftk-fben |
|
| 18 |
| vulnerability |
VCID-t1uc-59dn-j3gd |
|
| 19 |
| vulnerability |
VCID-wfx6-9nh3-quar |
|
| 20 |
| vulnerability |
VCID-x7he-eg8d-g7hj |
|
| 21 |
| vulnerability |
VCID-zzcf-uus6-rqa8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/electron@24.1.0 |
|
| 2 |
| url |
pkg:npm/electron@25.0.0-alpha.2 |
| purl |
pkg:npm/electron@25.0.0-alpha.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2kk5-3p41-kycs |
|
| 1 |
| vulnerability |
VCID-2tjw-wwpp-57ac |
|
| 2 |
| vulnerability |
VCID-3wxh-7cvs-g3et |
|
| 3 |
| vulnerability |
VCID-4u89-87dg-zqdt |
|
| 4 |
| vulnerability |
VCID-5cmc-cnnq-xyhw |
|
| 5 |
| vulnerability |
VCID-5w4g-q3st-m7hf |
|
| 6 |
| vulnerability |
VCID-6vad-u5vg-dba5 |
|
| 7 |
| vulnerability |
VCID-7c28-bmu2-qbcs |
|
| 8 |
| vulnerability |
VCID-de1j-4qwd-duab |
|
| 9 |
| vulnerability |
VCID-df1y-n1s8-x3g4 |
|
| 10 |
| vulnerability |
VCID-egxx-avtf-ekah |
|
| 11 |
| vulnerability |
VCID-hzte-vg4j-cbgt |
|
| 12 |
| vulnerability |
VCID-j8e6-q6j5-tyf8 |
|
| 13 |
| vulnerability |
VCID-p1m4-3gu6-zffw |
|
| 14 |
| vulnerability |
VCID-pjqf-nps2-7yhc |
|
| 15 |
| vulnerability |
VCID-qs5f-9ftk-fben |
|
| 16 |
| vulnerability |
VCID-t1uc-59dn-j3gd |
|
| 17 |
| vulnerability |
VCID-wfx6-9nh3-quar |
|
| 18 |
| vulnerability |
VCID-x7he-eg8d-g7hj |
|
| 19 |
| vulnerability |
VCID-zzcf-uus6-rqa8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/electron@25.0.0-alpha.2 |
|
|
| aliases |
CVE-2023-29198, GHSA-p7v2-p9m8-qqg7
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-73qk-x8vr-sfdp |
|
| 8 |
| url |
VCID-7c28-bmu2-qbcs |
| vulnerability_id |
VCID-7c28-bmu2-qbcs |
| summary |
Electron has ASAR Integrity Bypass via resource modification
This only impacts apps that have the `embeddedAsarIntegrityValidation` and `onlyLoadAppFromAsar` [fuses](https://www.electronjs.org/docs/latest/tutorial/fuses) enabled. Apps without these fuses enabled are not impacted.
Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the `resources` folder in your app installation on Windows which these fuses are supposed to protect against. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/electron@35.7.5 |
| purl |
pkg:npm/electron@35.7.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2kk5-3p41-kycs |
|
| 1 |
| vulnerability |
VCID-3wxh-7cvs-g3et |
|
| 2 |
| vulnerability |
VCID-4u89-87dg-zqdt |
|
| 3 |
| vulnerability |
VCID-5cmc-cnnq-xyhw |
|
| 4 |
| vulnerability |
VCID-5w4g-q3st-m7hf |
|
| 5 |
| vulnerability |
VCID-6vad-u5vg-dba5 |
|
| 6 |
| vulnerability |
VCID-df1y-n1s8-x3g4 |
|
| 7 |
| vulnerability |
VCID-egxx-avtf-ekah |
|
| 8 |
| vulnerability |
VCID-j8e6-q6j5-tyf8 |
|
| 9 |
| vulnerability |
VCID-jy1k-8gy7-pkb7 |
|
| 10 |
| vulnerability |
VCID-p1m4-3gu6-zffw |
|
| 11 |
| vulnerability |
VCID-pjqf-nps2-7yhc |
|
| 12 |
| vulnerability |
VCID-qs5f-9ftk-fben |
|
| 13 |
| vulnerability |
VCID-t1uc-59dn-j3gd |
|
| 14 |
| vulnerability |
VCID-wfx6-9nh3-quar |
|
| 15 |
| vulnerability |
VCID-x7he-eg8d-g7hj |
|
| 16 |
| vulnerability |
VCID-zzcf-uus6-rqa8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/electron@35.7.5 |
|
| 1 |
| url |
pkg:npm/electron@36.8.1 |
| purl |
pkg:npm/electron@36.8.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2kk5-3p41-kycs |
|
| 1 |
| vulnerability |
VCID-3wxh-7cvs-g3et |
|
| 2 |
| vulnerability |
VCID-4u89-87dg-zqdt |
|
| 3 |
| vulnerability |
VCID-5cmc-cnnq-xyhw |
|
| 4 |
| vulnerability |
VCID-5w4g-q3st-m7hf |
|
| 5 |
| vulnerability |
VCID-6vad-u5vg-dba5 |
|
| 6 |
| vulnerability |
VCID-df1y-n1s8-x3g4 |
|
| 7 |
| vulnerability |
VCID-egxx-avtf-ekah |
|
| 8 |
| vulnerability |
VCID-j8e6-q6j5-tyf8 |
|
| 9 |
| vulnerability |
VCID-jy1k-8gy7-pkb7 |
|
| 10 |
| vulnerability |
VCID-p1m4-3gu6-zffw |
|
| 11 |
| vulnerability |
VCID-pjqf-nps2-7yhc |
|
| 12 |
| vulnerability |
VCID-qs5f-9ftk-fben |
|
| 13 |
| vulnerability |
VCID-t1uc-59dn-j3gd |
|
| 14 |
| vulnerability |
VCID-wfx6-9nh3-quar |
|
| 15 |
| vulnerability |
VCID-x7he-eg8d-g7hj |
|
| 16 |
| vulnerability |
VCID-zzcf-uus6-rqa8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/electron@36.8.1 |
|
| 2 |
| url |
pkg:npm/electron@37.3.1 |
| purl |
pkg:npm/electron@37.3.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2kk5-3p41-kycs |
|
| 1 |
| vulnerability |
VCID-3wxh-7cvs-g3et |
|
| 2 |
| vulnerability |
VCID-4u89-87dg-zqdt |
|
| 3 |
| vulnerability |
VCID-5cmc-cnnq-xyhw |
|
| 4 |
| vulnerability |
VCID-5w4g-q3st-m7hf |
|
| 5 |
| vulnerability |
VCID-6vad-u5vg-dba5 |
|
| 6 |
| vulnerability |
VCID-df1y-n1s8-x3g4 |
|
| 7 |
| vulnerability |
VCID-egxx-avtf-ekah |
|
| 8 |
| vulnerability |
VCID-j8e6-q6j5-tyf8 |
|
| 9 |
| vulnerability |
VCID-jy1k-8gy7-pkb7 |
|
| 10 |
| vulnerability |
VCID-p1m4-3gu6-zffw |
|
| 11 |
| vulnerability |
VCID-pjqf-nps2-7yhc |
|
| 12 |
| vulnerability |
VCID-qs5f-9ftk-fben |
|
| 13 |
| vulnerability |
VCID-t1uc-59dn-j3gd |
|
| 14 |
| vulnerability |
VCID-wfx6-9nh3-quar |
|
| 15 |
| vulnerability |
VCID-x7he-eg8d-g7hj |
|
| 16 |
| vulnerability |
VCID-zzcf-uus6-rqa8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/electron@37.3.1 |
|
| 3 |
| url |
pkg:npm/electron@38.0.0-beta.6 |
| purl |
pkg:npm/electron@38.0.0-beta.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2kk5-3p41-kycs |
|
| 1 |
| vulnerability |
VCID-3wxh-7cvs-g3et |
|
| 2 |
| vulnerability |
VCID-4u89-87dg-zqdt |
|
| 3 |
| vulnerability |
VCID-5cmc-cnnq-xyhw |
|
| 4 |
| vulnerability |
VCID-5w4g-q3st-m7hf |
|
| 5 |
| vulnerability |
VCID-6vad-u5vg-dba5 |
|
| 6 |
| vulnerability |
VCID-df1y-n1s8-x3g4 |
|
| 7 |
| vulnerability |
VCID-egxx-avtf-ekah |
|
| 8 |
| vulnerability |
VCID-j8e6-q6j5-tyf8 |
|
| 9 |
| vulnerability |
VCID-jy1k-8gy7-pkb7 |
|
| 10 |
| vulnerability |
VCID-p1m4-3gu6-zffw |
|
| 11 |
| vulnerability |
VCID-pjqf-nps2-7yhc |
|
| 12 |
| vulnerability |
VCID-qs5f-9ftk-fben |
|
| 13 |
| vulnerability |
VCID-t1uc-59dn-j3gd |
|
| 14 |
| vulnerability |
VCID-wfx6-9nh3-quar |
|
| 15 |
| vulnerability |
VCID-x7he-eg8d-g7hj |
|
| 16 |
| vulnerability |
VCID-zzcf-uus6-rqa8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/electron@38.0.0-beta.6 |
|
|
| aliases |
CVE-2025-55305, GHSA-vmqv-hx8q-j7mg
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7c28-bmu2-qbcs |
|
| 9 |
| url |
VCID-de1j-4qwd-duab |
| vulnerability_id |
VCID-de1j-4qwd-duab |
| summary |
ASAR Integrity bypass via filetype confusion in electron
This only impacts apps that have the `embeddedAsarIntegrityValidation` and `onlyLoadAppFromAsar` [fuses](https://www.electronjs.org/docs/latest/tutorial/fuses) enabled. Apps without these fuses enabled are not impacted. This issue is specific to macOS as these fuses are only currently supported on macOS.
Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the `resources` folder in your app installation on Windows which these fuses are supposed to protect against. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/electron@24.8.3 |
| purl |
pkg:npm/electron@24.8.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2kk5-3p41-kycs |
|
| 1 |
| vulnerability |
VCID-3wxh-7cvs-g3et |
|
| 2 |
| vulnerability |
VCID-4u89-87dg-zqdt |
|
| 3 |
| vulnerability |
VCID-5cmc-cnnq-xyhw |
|
| 4 |
| vulnerability |
VCID-5w4g-q3st-m7hf |
|
| 5 |
| vulnerability |
VCID-6vad-u5vg-dba5 |
|
| 6 |
| vulnerability |
VCID-7c28-bmu2-qbcs |
|
| 7 |
| vulnerability |
VCID-df1y-n1s8-x3g4 |
|
| 8 |
| vulnerability |
VCID-egxx-avtf-ekah |
|
| 9 |
| vulnerability |
VCID-ghpk-c1e6-pkae |
|
| 10 |
| vulnerability |
VCID-hzte-vg4j-cbgt |
|
| 11 |
| vulnerability |
VCID-j8e6-q6j5-tyf8 |
|
| 12 |
| vulnerability |
VCID-p1m4-3gu6-zffw |
|
| 13 |
| vulnerability |
VCID-pjqf-nps2-7yhc |
|
| 14 |
| vulnerability |
VCID-qs5f-9ftk-fben |
|
| 15 |
| vulnerability |
VCID-t1uc-59dn-j3gd |
|
| 16 |
| vulnerability |
VCID-wfx6-9nh3-quar |
|
| 17 |
| vulnerability |
VCID-x7he-eg8d-g7hj |
|
| 18 |
| vulnerability |
VCID-zzcf-uus6-rqa8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/electron@24.8.3 |
|
| 1 |
| url |
pkg:npm/electron@25.8.1 |
| purl |
pkg:npm/electron@25.8.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2kk5-3p41-kycs |
|
| 1 |
| vulnerability |
VCID-3wxh-7cvs-g3et |
|
| 2 |
| vulnerability |
VCID-4u89-87dg-zqdt |
|
| 3 |
| vulnerability |
VCID-5cmc-cnnq-xyhw |
|
| 4 |
| vulnerability |
VCID-5w4g-q3st-m7hf |
|
| 5 |
| vulnerability |
VCID-6vad-u5vg-dba5 |
|
| 6 |
| vulnerability |
VCID-7c28-bmu2-qbcs |
|
| 7 |
| vulnerability |
VCID-df1y-n1s8-x3g4 |
|
| 8 |
| vulnerability |
VCID-egxx-avtf-ekah |
|
| 9 |
| vulnerability |
VCID-ghpk-c1e6-pkae |
|
| 10 |
| vulnerability |
VCID-hzte-vg4j-cbgt |
|
| 11 |
| vulnerability |
VCID-j8e6-q6j5-tyf8 |
|
| 12 |
| vulnerability |
VCID-p1m4-3gu6-zffw |
|
| 13 |
| vulnerability |
VCID-pjqf-nps2-7yhc |
|
| 14 |
| vulnerability |
VCID-qs5f-9ftk-fben |
|
| 15 |
| vulnerability |
VCID-t1uc-59dn-j3gd |
|
| 16 |
| vulnerability |
VCID-wfx6-9nh3-quar |
|
| 17 |
| vulnerability |
VCID-x7he-eg8d-g7hj |
|
| 18 |
| vulnerability |
VCID-zzcf-uus6-rqa8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/electron@25.8.1 |
|
| 2 |
| url |
pkg:npm/electron@26.2.1 |
| purl |
pkg:npm/electron@26.2.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2kk5-3p41-kycs |
|
| 1 |
| vulnerability |
VCID-3wxh-7cvs-g3et |
|
| 2 |
| vulnerability |
VCID-4u89-87dg-zqdt |
|
| 3 |
| vulnerability |
VCID-5cmc-cnnq-xyhw |
|
| 4 |
| vulnerability |
VCID-5w4g-q3st-m7hf |
|
| 5 |
| vulnerability |
VCID-6vad-u5vg-dba5 |
|
| 6 |
| vulnerability |
VCID-7c28-bmu2-qbcs |
|
| 7 |
| vulnerability |
VCID-df1y-n1s8-x3g4 |
|
| 8 |
| vulnerability |
VCID-egxx-avtf-ekah |
|
| 9 |
| vulnerability |
VCID-ghpk-c1e6-pkae |
|
| 10 |
| vulnerability |
VCID-hzte-vg4j-cbgt |
|
| 11 |
| vulnerability |
VCID-j8e6-q6j5-tyf8 |
|
| 12 |
| vulnerability |
VCID-p1m4-3gu6-zffw |
|
| 13 |
| vulnerability |
VCID-pjqf-nps2-7yhc |
|
| 14 |
| vulnerability |
VCID-qs5f-9ftk-fben |
|
| 15 |
| vulnerability |
VCID-t1uc-59dn-j3gd |
|
| 16 |
| vulnerability |
VCID-wfx6-9nh3-quar |
|
| 17 |
| vulnerability |
VCID-x7he-eg8d-g7hj |
|
| 18 |
| vulnerability |
VCID-zzcf-uus6-rqa8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/electron@26.2.1 |
|
| 3 |
|
| 4 |
| url |
pkg:npm/electron@27.0.0-beta.1 |
| purl |
pkg:npm/electron@27.0.0-beta.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2kk5-3p41-kycs |
|
| 1 |
| vulnerability |
VCID-3wxh-7cvs-g3et |
|
| 2 |
| vulnerability |
VCID-4u89-87dg-zqdt |
|
| 3 |
| vulnerability |
VCID-5cmc-cnnq-xyhw |
|
| 4 |
| vulnerability |
VCID-5w4g-q3st-m7hf |
|
| 5 |
| vulnerability |
VCID-6vad-u5vg-dba5 |
|
| 6 |
| vulnerability |
VCID-7c28-bmu2-qbcs |
|
| 7 |
| vulnerability |
VCID-df1y-n1s8-x3g4 |
|
| 8 |
| vulnerability |
VCID-egxx-avtf-ekah |
|
| 9 |
| vulnerability |
VCID-ghpk-c1e6-pkae |
|
| 10 |
| vulnerability |
VCID-hzte-vg4j-cbgt |
|
| 11 |
| vulnerability |
VCID-j8e6-q6j5-tyf8 |
|
| 12 |
| vulnerability |
VCID-k669-cacz-9fcd |
|
| 13 |
| vulnerability |
VCID-p1m4-3gu6-zffw |
|
| 14 |
| vulnerability |
VCID-pjqf-nps2-7yhc |
|
| 15 |
| vulnerability |
VCID-qs5f-9ftk-fben |
|
| 16 |
| vulnerability |
VCID-t1uc-59dn-j3gd |
|
| 17 |
| vulnerability |
VCID-wfx6-9nh3-quar |
|
| 18 |
| vulnerability |
VCID-x7he-eg8d-g7hj |
|
| 19 |
| vulnerability |
VCID-zzcf-uus6-rqa8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/electron@27.0.0-beta.1 |
|
|
| aliases |
CVE-2023-44402, GHSA-7m48-wc93-9g85
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-de1j-4qwd-duab |
|
| 10 |
| url |
VCID-df1y-n1s8-x3g4 |
| vulnerability_id |
VCID-df1y-n1s8-x3g4 |
| summary |
Electron: Electron: Use-after-free vulnerability leads to memory corruption or crash |
| references |
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:npm/electron@39.8.0 |
| purl |
pkg:npm/electron@39.8.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2kk5-3p41-kycs |
|
| 1 |
| vulnerability |
VCID-4u89-87dg-zqdt |
|
| 2 |
| vulnerability |
VCID-5cmc-cnnq-xyhw |
|
| 3 |
| vulnerability |
VCID-5w4g-q3st-m7hf |
|
| 4 |
| vulnerability |
VCID-egxx-avtf-ekah |
|
| 5 |
| vulnerability |
VCID-j8e6-q6j5-tyf8 |
|
| 6 |
| vulnerability |
VCID-jy1k-8gy7-pkb7 |
|
| 7 |
| vulnerability |
VCID-p1m4-3gu6-zffw |
|
| 8 |
| vulnerability |
VCID-pjqf-nps2-7yhc |
|
| 9 |
| vulnerability |
VCID-qs5f-9ftk-fben |
|
| 10 |
| vulnerability |
VCID-t1uc-59dn-j3gd |
|
| 11 |
| vulnerability |
VCID-wfx6-9nh3-quar |
|
| 12 |
| vulnerability |
VCID-x7he-eg8d-g7hj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/electron@39.8.0 |
|
| 2 |
| url |
pkg:npm/electron@40.7.0 |
| purl |
pkg:npm/electron@40.7.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2kk5-3p41-kycs |
|
| 1 |
| vulnerability |
VCID-4u89-87dg-zqdt |
|
| 2 |
| vulnerability |
VCID-5cmc-cnnq-xyhw |
|
| 3 |
| vulnerability |
VCID-egxx-avtf-ekah |
|
| 4 |
| vulnerability |
VCID-j8e6-q6j5-tyf8 |
|
| 5 |
| vulnerability |
VCID-jy1k-8gy7-pkb7 |
|
| 6 |
| vulnerability |
VCID-p1m4-3gu6-zffw |
|
| 7 |
| vulnerability |
VCID-pjqf-nps2-7yhc |
|
| 8 |
| vulnerability |
VCID-qs5f-9ftk-fben |
|
| 9 |
| vulnerability |
VCID-t1uc-59dn-j3gd |
|
| 10 |
| vulnerability |
VCID-wfx6-9nh3-quar |
|
| 11 |
| vulnerability |
VCID-x7he-eg8d-g7hj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/electron@40.7.0 |
|
| 3 |
| url |
pkg:npm/electron@41.0.0-beta.7 |
| purl |
pkg:npm/electron@41.0.0-beta.7 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2h5f-hwjw-77dp |
|
| 1 |
| vulnerability |
VCID-2kk5-3p41-kycs |
|
| 2 |
| vulnerability |
VCID-3wxh-7cvs-g3et |
|
| 3 |
| vulnerability |
VCID-4u89-87dg-zqdt |
|
| 4 |
| vulnerability |
VCID-5cmc-cnnq-xyhw |
|
| 5 |
| vulnerability |
VCID-5w4g-q3st-m7hf |
|
| 6 |
| vulnerability |
VCID-6vad-u5vg-dba5 |
|
| 7 |
| vulnerability |
VCID-egxx-avtf-ekah |
|
| 8 |
| vulnerability |
VCID-j8e6-q6j5-tyf8 |
|
| 9 |
| vulnerability |
VCID-jy1k-8gy7-pkb7 |
|
| 10 |
| vulnerability |
VCID-p1m4-3gu6-zffw |
|
| 11 |
| vulnerability |
VCID-pjqf-nps2-7yhc |
|
| 12 |
| vulnerability |
VCID-qs5f-9ftk-fben |
|
| 13 |
| vulnerability |
VCID-t1uc-59dn-j3gd |
|
| 14 |
| vulnerability |
VCID-wfx6-9nh3-quar |
|
| 15 |
| vulnerability |
VCID-x7he-eg8d-g7hj |
|
| 16 |
| vulnerability |
VCID-zzcf-uus6-rqa8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/electron@41.0.0-beta.7 |
|
|
| aliases |
CVE-2026-34772, GHSA-9w97-2464-8783
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-df1y-n1s8-x3g4 |
|
| 11 |
|
| 12 |
| url |
VCID-hzte-vg4j-cbgt |
| vulnerability_id |
VCID-hzte-vg4j-cbgt |
| summary |
Electron vulnerable to Heap Buffer Overflow in NativeImage
The `nativeImage.createFromPath()` and `nativeImage.createFromBuffer()` functions call a function downstream that is vulnerable to a heap buffer overflow. An Electron program that uses either of the affected functions is vulnerable to a buffer overflow if an attacker is in control of the image's height, width, and contents. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/electron@28.3.2 |
| purl |
pkg:npm/electron@28.3.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2kk5-3p41-kycs |
|
| 1 |
| vulnerability |
VCID-3wxh-7cvs-g3et |
|
| 2 |
| vulnerability |
VCID-4u89-87dg-zqdt |
|
| 3 |
| vulnerability |
VCID-5cmc-cnnq-xyhw |
|
| 4 |
| vulnerability |
VCID-5w4g-q3st-m7hf |
|
| 5 |
| vulnerability |
VCID-6vad-u5vg-dba5 |
|
| 6 |
| vulnerability |
VCID-7c28-bmu2-qbcs |
|
| 7 |
| vulnerability |
VCID-df1y-n1s8-x3g4 |
|
| 8 |
| vulnerability |
VCID-egxx-avtf-ekah |
|
| 9 |
| vulnerability |
VCID-j8e6-q6j5-tyf8 |
|
| 10 |
| vulnerability |
VCID-p1m4-3gu6-zffw |
|
| 11 |
| vulnerability |
VCID-pjqf-nps2-7yhc |
|
| 12 |
| vulnerability |
VCID-qs5f-9ftk-fben |
|
| 13 |
| vulnerability |
VCID-t1uc-59dn-j3gd |
|
| 14 |
| vulnerability |
VCID-wfx6-9nh3-quar |
|
| 15 |
| vulnerability |
VCID-x7he-eg8d-g7hj |
|
| 16 |
| vulnerability |
VCID-zzcf-uus6-rqa8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/electron@28.3.2 |
|
| 1 |
| url |
pkg:npm/electron@29.3.3 |
| purl |
pkg:npm/electron@29.3.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2kk5-3p41-kycs |
|
| 1 |
| vulnerability |
VCID-3wxh-7cvs-g3et |
|
| 2 |
| vulnerability |
VCID-4u89-87dg-zqdt |
|
| 3 |
| vulnerability |
VCID-5cmc-cnnq-xyhw |
|
| 4 |
| vulnerability |
VCID-5w4g-q3st-m7hf |
|
| 5 |
| vulnerability |
VCID-6vad-u5vg-dba5 |
|
| 6 |
| vulnerability |
VCID-7c28-bmu2-qbcs |
|
| 7 |
| vulnerability |
VCID-df1y-n1s8-x3g4 |
|
| 8 |
| vulnerability |
VCID-egxx-avtf-ekah |
|
| 9 |
| vulnerability |
VCID-j8e6-q6j5-tyf8 |
|
| 10 |
| vulnerability |
VCID-p1m4-3gu6-zffw |
|
| 11 |
| vulnerability |
VCID-pjqf-nps2-7yhc |
|
| 12 |
| vulnerability |
VCID-qs5f-9ftk-fben |
|
| 13 |
| vulnerability |
VCID-t1uc-59dn-j3gd |
|
| 14 |
| vulnerability |
VCID-wfx6-9nh3-quar |
|
| 15 |
| vulnerability |
VCID-x7he-eg8d-g7hj |
|
| 16 |
| vulnerability |
VCID-zzcf-uus6-rqa8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/electron@29.3.3 |
|
| 2 |
| url |
pkg:npm/electron@30.0.3 |
| purl |
pkg:npm/electron@30.0.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2kk5-3p41-kycs |
|
| 1 |
| vulnerability |
VCID-3wxh-7cvs-g3et |
|
| 2 |
| vulnerability |
VCID-4u89-87dg-zqdt |
|
| 3 |
| vulnerability |
VCID-5cmc-cnnq-xyhw |
|
| 4 |
| vulnerability |
VCID-5w4g-q3st-m7hf |
|
| 5 |
| vulnerability |
VCID-6vad-u5vg-dba5 |
|
| 6 |
| vulnerability |
VCID-7c28-bmu2-qbcs |
|
| 7 |
| vulnerability |
VCID-9x1q-7ngy-jyhw |
|
| 8 |
| vulnerability |
VCID-df1y-n1s8-x3g4 |
|
| 9 |
| vulnerability |
VCID-egxx-avtf-ekah |
|
| 10 |
| vulnerability |
VCID-j8e6-q6j5-tyf8 |
|
| 11 |
| vulnerability |
VCID-p1m4-3gu6-zffw |
|
| 12 |
| vulnerability |
VCID-pjqf-nps2-7yhc |
|
| 13 |
| vulnerability |
VCID-qs5f-9ftk-fben |
|
| 14 |
| vulnerability |
VCID-t1uc-59dn-j3gd |
|
| 15 |
| vulnerability |
VCID-wfx6-9nh3-quar |
|
| 16 |
| vulnerability |
VCID-x7he-eg8d-g7hj |
|
| 17 |
| vulnerability |
VCID-zzcf-uus6-rqa8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/electron@30.0.3 |
|
|
| aliases |
CVE-2024-46993, GHSA-6r2x-8pq8-9489
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-hzte-vg4j-cbgt |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
| url |
VCID-t1uc-59dn-j3gd |
| vulnerability_id |
VCID-t1uc-59dn-j3gd |
| summary |
Electron: Use-after-free in PowerMonitor on Windows and macOS
### Impact
Apps that use the `powerMonitor` module may be vulnerable to a use-after-free. After the native `PowerMonitor` object is garbage-collected, the associated OS-level resources (a message window on Windows, a shutdown handler on macOS) retain dangling references. A subsequent session-change event (Windows) or system shutdown (macOS) dereferences freed memory, which may lead to a crash or memory corruption.
All apps that access `powerMonitor` events (`suspend`, `resume`, `lock-screen`, etc.) are potentially affected. The issue is not directly renderer-controllable.
### Workarounds
There are no app side workarounds, you must update to a patched version of Electron.
### Fixed Versions
* `41.0.0-beta.8`
* `40.8.0`
* `39.8.1`
* `38.8.6`
### For more information
If there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org) |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-34770, GHSA-jjp3-mq3x-295m
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-t1uc-59dn-j3gd |
|
| 18 |
| url |
VCID-wfx6-9nh3-quar |
| vulnerability_id |
VCID-wfx6-9nh3-quar |
| summary |
Electron: AppleScript injection in app.moveToApplicationsFolder on macOS
### Impact
On macOS, `app.moveToApplicationsFolder()` used an AppleScript fallback path that did not properly handle certain characters in the application bundle path. Under specific conditions, a crafted launch path could lead to arbitrary AppleScript execution when the user accepted the move-to-Applications prompt.
Apps are only affected if they call `app.moveToApplicationsFolder()`. Apps that do not use this API are not affected.
### Workarounds
There are no app side workarounds, developers must update to a patched version of Electron.
### Fixed Versions
* `41.0.0-beta.8`
* `40.8.0`
* `39.8.1`
* `38.8.6`
### For more information
If there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org) |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-34779, GHSA-5rqw-r77c-jp79
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-wfx6-9nh3-quar |
|
| 19 |
|
| 20 |
| url |
VCID-zzcf-uus6-rqa8 |
| vulnerability_id |
VCID-zzcf-uus6-rqa8 |
| summary |
electron: Electron: Memory corruption or application crash via use-after-free in permission request handling |
| references |
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:npm/electron@39.8.0 |
| purl |
pkg:npm/electron@39.8.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2kk5-3p41-kycs |
|
| 1 |
| vulnerability |
VCID-4u89-87dg-zqdt |
|
| 2 |
| vulnerability |
VCID-5cmc-cnnq-xyhw |
|
| 3 |
| vulnerability |
VCID-5w4g-q3st-m7hf |
|
| 4 |
| vulnerability |
VCID-egxx-avtf-ekah |
|
| 5 |
| vulnerability |
VCID-j8e6-q6j5-tyf8 |
|
| 6 |
| vulnerability |
VCID-jy1k-8gy7-pkb7 |
|
| 7 |
| vulnerability |
VCID-p1m4-3gu6-zffw |
|
| 8 |
| vulnerability |
VCID-pjqf-nps2-7yhc |
|
| 9 |
| vulnerability |
VCID-qs5f-9ftk-fben |
|
| 10 |
| vulnerability |
VCID-t1uc-59dn-j3gd |
|
| 11 |
| vulnerability |
VCID-wfx6-9nh3-quar |
|
| 12 |
| vulnerability |
VCID-x7he-eg8d-g7hj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/electron@39.8.0 |
|
| 2 |
| url |
pkg:npm/electron@40.7.0 |
| purl |
pkg:npm/electron@40.7.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2kk5-3p41-kycs |
|
| 1 |
| vulnerability |
VCID-4u89-87dg-zqdt |
|
| 2 |
| vulnerability |
VCID-5cmc-cnnq-xyhw |
|
| 3 |
| vulnerability |
VCID-egxx-avtf-ekah |
|
| 4 |
| vulnerability |
VCID-j8e6-q6j5-tyf8 |
|
| 5 |
| vulnerability |
VCID-jy1k-8gy7-pkb7 |
|
| 6 |
| vulnerability |
VCID-p1m4-3gu6-zffw |
|
| 7 |
| vulnerability |
VCID-pjqf-nps2-7yhc |
|
| 8 |
| vulnerability |
VCID-qs5f-9ftk-fben |
|
| 9 |
| vulnerability |
VCID-t1uc-59dn-j3gd |
|
| 10 |
| vulnerability |
VCID-wfx6-9nh3-quar |
|
| 11 |
| vulnerability |
VCID-x7he-eg8d-g7hj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/electron@40.7.0 |
|
| 3 |
|
|
| aliases |
CVE-2026-34771, GHSA-8337-3p73-46f4
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-zzcf-uus6-rqa8 |
|