VulnerableCode Package Details - pkg:npm/electron@10.0.0-beta.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-6pvc-cdyz-gkcv Aliases: CVE-2020-15174 GHSA-2q4g-w47c-4674	Unpreventable top-level navigation ### Impact The `will-navigate` event that apps use to prevent navigations to unexpected destinations [as per our security recommendations](https://www.electronjs.org/docs/tutorial/security) can be bypassed when a sub-frame performs a top-frame navigation across sites. ### Patches * `11.0.0-beta.1` * `10.0.1` * `9.3.0` * `8.5.1` ### Workarounds Sandbox all your iframes using the [`sandbox` attribute](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-sandbox). This will prevent them creating top-frame navigations and is good practice anyway. ### For more information If you have any questions or comments about this advisory: * Email us at security@electronjs.org	10.0.1 Affected by 12 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-qd4u-smpr-auc1 Aliases: CVE-2020-15215 GHSA-56pc-6jqp-xqj8	Context isolation bypass in Electron ### Impact Apps using both `contextIsolation` and `sandbox: true` are affected. Apps using both `contextIsolation` and `nativeWindowOpen: true` are affected. This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. ### Workarounds There are no app-side workarounds, you must update your Electron version to be protected. ### Fixed Versions * `11.0.0-beta.6` * `10.1.2` * `9.3.1` * `8.5.2` ### For more information If you have any questions or comments about this advisory: * Email us at [security@electronjs.org](mailto:security@electronjs.org)	10.1.2 Affected by 12 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 11.0.0-beta.6 Affected by 11 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-6pvc-cdyz-gkcv
Aliases:
CVE-2020-15174
GHSA-2q4g-w47c-4674

Unpreventable top-level navigation ### Impact The `will-navigate` event that apps use to prevent navigations to unexpected destinations [as per our security recommendations](https://www.electronjs.org/docs/tutorial/security) can be bypassed when a sub-frame performs a top-frame navigation across sites. ### Patches * `11.0.0-beta.1` * `10.0.1` * `9.3.0` * `8.5.1` ### Workarounds Sandbox all your iframes using the [`sandbox` attribute](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-sandbox). This will prevent them creating top-frame navigations and is good practice anyway. ### For more information If you have any questions or comments about this advisory: * Email us at security@electronjs.org

10.0.1
Affected by 12 other vulnerabilities.

VCID-qd4u-smpr-auc1
Aliases:
CVE-2020-15215
GHSA-56pc-6jqp-xqj8

Context isolation bypass in Electron ### Impact Apps using both `contextIsolation` and `sandbox: true` are affected. Apps using both `contextIsolation` and `nativeWindowOpen: true` are affected. This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. ### Workarounds There are no app-side workarounds, you must update your Electron version to be protected. ### Fixed Versions * `11.0.0-beta.6` * `10.1.2` * `9.3.1` * `8.5.2` ### For more information If you have any questions or comments about this advisory: * Email us at [security@electronjs.org](mailto:security@electronjs.org)

10.1.2
Affected by 12 other vulnerabilities.

11.0.0-beta.6
Affected by 11 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T15:58:54.329972+00:00	GHSA Importer	Affected by	VCID-qd4u-smpr-auc1	https://github.com/advisories/GHSA-56pc-6jqp-xqj8	38.0.0
2026-04-01T15:58:54.238992+00:00	GHSA Importer	Affected by	VCID-6pvc-cdyz-gkcv	https://github.com/advisories/GHSA-2q4g-w47c-4674	38.0.0

2026-04-01T15:58:54.329972+00:00

GHSA Importer

Affected by

VCID-qd4u-smpr-auc1

https://github.com/advisories/GHSA-56pc-6jqp-xqj8

38.0.0

2026-04-01T15:58:54.238992+00:00

GHSA Importer

Affected by

VCID-6pvc-cdyz-gkcv

https://github.com/advisories/GHSA-2q4g-w47c-4674

38.0.0

purl	pkg:npm/electron@10.0.0-beta.0
Tags	Ghost

Next non-vulnerable version	35.7.5
Latest non-vulnerable version	42.0.0-alpha.5
Risk	4.0