VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-42af-f5vs-1fe3

Essentials
Severities (22)
References (13)
Severity details (21)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-42af-f5vs-1fe3
Aliases	CVE-2020-26272 GHSA-hvf8-h2qh-37m9
Summary	IPC messages delivered to the wrong frame in Electron ### Impact IPC messages sent from the main process to a subframe in the renderer process, through `webContents.sendToFrame`, `event.reply` or when using the `remote` module, can in some cases be delivered to the wrong frame. If your app does ANY of the following, then it is impacted by this issue: - Uses `remote` - Calls `webContents.sendToFrame` - Calls `event.reply` in an IPC message handler ### Patches This has been fixed in the following versions: - 9.4.0 - 10.2.0 - 11.1.0 - 12.0.0-beta.9 ### Workarounds There are no workarounds for this issue. ### For more information If you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org).
Status	Published
Exploitability	None
Weighted Severity	None
Risk	None
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-668	Exposure of Resource to Wrong Sphere
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00965	https://api.first.org/data/v1/epss?cve=CVE-2020-26272
cvssv3.1	5.4	https://github.com/electron/electron/commit/07a1c2a3e5845901f7e2eda9506695be58edc73c
generic_textual	MODERATE	https://github.com/electron/electron/commit/07a1c2a3e5845901f7e2eda9506695be58edc73c
cvssv3.1	5.4	https://github.com/electron/electron/commit/0bbd268eb4caf35604443df5ff196980dd49e208
generic_textual	MODERATE	https://github.com/electron/electron/commit/0bbd268eb4caf35604443df5ff196980dd49e208
cvssv3.1	5.4	https://github.com/electron/electron/commit/36c695ce2a7e22c07fe1e30c61c00d20371daee2
generic_textual	MODERATE	https://github.com/electron/electron/commit/36c695ce2a7e22c07fe1e30c61c00d20371daee2
cvssv3.1	5.4	https://github.com/electron/electron/commit/429400040ecb16a21d19936658579e65a797e4cc
generic_textual	MODERATE	https://github.com/electron/electron/commit/429400040ecb16a21d19936658579e65a797e4cc
cvssv3.1	5.4	https://github.com/electron/electron/commit/5c8e7e8b7f485ceafa8b271086d7b87e1de9dedd
generic_textual	MODERATE	https://github.com/electron/electron/commit/5c8e7e8b7f485ceafa8b271086d7b87e1de9dedd
cvssv3.1	5.4	https://github.com/electron/electron/pull/26875
generic_textual	MODERATE	https://github.com/electron/electron/pull/26875
cvssv3.1	5.4	https://github.com/electron/electron/releases/tag/v9.4.0
generic_textual	MODERATE	https://github.com/electron/electron/releases/tag/v9.4.0
cvssv3.1	5.4	https://github.com/electron/electron/security/advisories/GHSA-hvf8-h2qh-37m9
generic_textual	MODERATE	https://github.com/electron/electron/security/advisories/GHSA-hvf8-h2qh-37m9
cvssv3.1	5.4	https://nvd.nist.gov/vuln/detail/CVE-2020-26272
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2020-26272
archlinux	Medium	https://security.archlinux.org/AVG-1503
cvssv3.1	5.4	https://www.electronjs.org/releases/stable?version=9#9.4.0
generic_textual	MODERATE	https://www.electronjs.org/releases/stable?version=9#9.4.0

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2020-26272
		https://github.com/electron/electron/commit/07a1c2a3e5845901f7e2eda9506695be58edc73c
		https://github.com/electron/electron/commit/0bbd268eb4caf35604443df5ff196980dd49e208
		https://github.com/electron/electron/commit/36c695ce2a7e22c07fe1e30c61c00d20371daee2
		https://github.com/electron/electron/commit/429400040ecb16a21d19936658579e65a797e4cc
		https://github.com/electron/electron/commit/5c8e7e8b7f485ceafa8b271086d7b87e1de9dedd
		https://github.com/electron/electron/pull/26875
		https://github.com/electron/electron/releases/tag/v9.4.0
		https://github.com/electron/electron/security/advisories/GHSA-hvf8-h2qh-37m9
		https://nvd.nist.gov/vuln/detail/CVE-2020-26272
		https://www.electronjs.org/releases/stable?version=9#9.4.0
AVG-1503		https://security.archlinux.org/AVG-1503
GHSA-hvf8-h2qh-37m9		https://github.com/advisories/GHSA-hvf8-h2qh-37m9

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N Found at https://github.com/electron/electron/commit/07a1c2a3e5845901f7e2eda9506695be58edc73c

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N Found at https://github.com/electron/electron/commit/0bbd268eb4caf35604443df5ff196980dd49e208

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N Found at https://github.com/electron/electron/commit/36c695ce2a7e22c07fe1e30c61c00d20371daee2

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N Found at https://github.com/electron/electron/commit/429400040ecb16a21d19936658579e65a797e4cc

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N Found at https://github.com/electron/electron/commit/5c8e7e8b7f485ceafa8b271086d7b87e1de9dedd

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N Found at https://github.com/electron/electron/pull/26875

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N Found at https://github.com/electron/electron/releases/tag/v9.4.0

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N Found at https://github.com/electron/electron/security/advisories/GHSA-hvf8-h2qh-37m9

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2020-26272

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N Found at https://www.electronjs.org/releases/stable?version=9#9.4.0

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.7685
EPSS Score	0.00965
Published At	May 29, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-05-29T09:13:08.878148+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/01/GHSA-hvf8-h2qh-37m9/GHSA-hvf8-h2qh-37m9.json	38.6.0