Search for vulnerabilities
Vulnerability details: VCID-bc4x-m812-w7hn
Vulnerability ID VCID-bc4x-m812-w7hn
Aliases CVE-2018-15685
GHSA-hv9c-qwqg-qj3v
Summary Command Injection [electron] A remote code execution vulnerability has been discovered affecting apps with the ability to open nested child windows on Electron versions (3.0.0-beta.6, 2.0.7, 1.8.7, and 1.7.15).
Status Published
Exploitability 2.0
Weighted Severity 8.8
Risk 10.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-1188 Initialization of a Resource with an Insecure Default
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.13253 https://api.first.org/data/v1/epss?cve=CVE-2018-15685
epss 0.13253 https://api.first.org/data/v1/epss?cve=CVE-2018-15685
epss 0.13253 https://api.first.org/data/v1/epss?cve=CVE-2018-15685
epss 0.13253 https://api.first.org/data/v1/epss?cve=CVE-2018-15685
epss 0.13253 https://api.first.org/data/v1/epss?cve=CVE-2018-15685
epss 0.13253 https://api.first.org/data/v1/epss?cve=CVE-2018-15685
epss 0.13253 https://api.first.org/data/v1/epss?cve=CVE-2018-15685
epss 0.13253 https://api.first.org/data/v1/epss?cve=CVE-2018-15685
epss 0.13253 https://api.first.org/data/v1/epss?cve=CVE-2018-15685
epss 0.13253 https://api.first.org/data/v1/epss?cve=CVE-2018-15685
epss 0.13253 https://api.first.org/data/v1/epss?cve=CVE-2018-15685
epss 0.13253 https://api.first.org/data/v1/epss?cve=CVE-2018-15685
epss 0.13253 https://api.first.org/data/v1/epss?cve=CVE-2018-15685
epss 0.13253 https://api.first.org/data/v1/epss?cve=CVE-2018-15685
epss 0.13253 https://api.first.org/data/v1/epss?cve=CVE-2018-15685
epss 0.13253 https://api.first.org/data/v1/epss?cve=CVE-2018-15685
epss 0.13253 https://api.first.org/data/v1/epss?cve=CVE-2018-15685
epss 0.13253 https://api.first.org/data/v1/epss?cve=CVE-2018-15685
epss 0.13253 https://api.first.org/data/v1/epss?cve=CVE-2018-15685
epss 0.13253 https://api.first.org/data/v1/epss?cve=CVE-2018-15685
epss 0.13253 https://api.first.org/data/v1/epss?cve=CVE-2018-15685
epss 0.13253 https://api.first.org/data/v1/epss?cve=CVE-2018-15685
cvssv3 9.8 https://electronjs.org/blog/web-preferences-fix
cvssv3.1 8.1 https://electronjs.org/blog/web-preferences-fix
generic_textual HIGH https://electronjs.org/blog/web-preferences-fix
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-hv9c-qwqg-qj3v
cvssv3.1 8.1 https://github.com/electron/electron
generic_textual HIGH https://github.com/electron/electron
cvssv3.1 8.1 https://github.com/electron/electron/commit/519a02d8d4d28e8a467acb40fb26172a80c9454f
generic_textual HIGH https://github.com/electron/electron/commit/519a02d8d4d28e8a467acb40fb26172a80c9454f
cvssv3.1 8.1 https://github.com/electron/electron/commit/80221e52d93a96ea704cb6748ead669c55cff504
generic_textual HIGH https://github.com/electron/electron/commit/80221e52d93a96ea704cb6748ead669c55cff504
cvssv3.1 8.1 https://github.com/electron/electron/commit/bab968ca776be28791e4dddfd50c86bd5fae62fa
generic_textual HIGH https://github.com/electron/electron/commit/bab968ca776be28791e4dddfd50c86bd5fae62fa
cvssv3.1 8.1 https://github.com/electron/electron/commit/ef0a6d9a1c96efc4657c6dd3a6624eba969f095b
generic_textual HIGH https://github.com/electron/electron/commit/ef0a6d9a1c96efc4657c6dd3a6624eba969f095b
cvssv3 9.8 https://github.com/nodejs/security-wg/blob/main/vuln/npm/466.json
cvssv2 6.8 https://nvd.nist.gov/vuln/detail/CVE-2018-15685
cvssv3 8.1 https://nvd.nist.gov/vuln/detail/CVE-2018-15685
cvssv3.1 8.1 https://nvd.nist.gov/vuln/detail/CVE-2018-15685
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2018-15685
cvssv3 9.8 https://www.contrastsecurity.com/security-influencers/cve-2018-15685
cvssv3.1 8.1 https://www.contrastsecurity.com/security-influencers/cve-2018-15685
generic_textual HIGH https://www.contrastsecurity.com/security-influencers/cve-2018-15685
cvssv3.1 8.1 https://www.exploit-db.com/exploits/45272
generic_textual HIGH https://www.exploit-db.com/exploits/45272
cvssv3.1 8.1 https://www.npmjs.com/advisories/732
generic_textual HIGH https://www.npmjs.com/advisories/732
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2018-15685
https://electronjs.org/blog/web-preferences-fix
https://github.com/electron/electron
https://github.com/electron/electron/commit/519a02d8d4d28e8a467acb40fb26172a80c9454f
https://github.com/electron/electron/commit/80221e52d93a96ea704cb6748ead669c55cff504
https://github.com/electron/electron/commit/bab968ca776be28791e4dddfd50c86bd5fae62fa
https://github.com/electron/electron/commit/ef0a6d9a1c96efc4657c6dd3a6624eba969f095b
https://nvd.nist.gov/vuln/detail/CVE-2018-15685
https://www.contrastsecurity.com/security-influencers/cve-2018-15685
https://www.exploit-db.com/exploits/45272
https://www.exploit-db.com/exploits/45272/
https://www.npmjs.com/advisories/732
466 https://github.com/nodejs/security-wg/blob/main/vuln/npm/466.json
cpe:2.3:a:electronjs:electron:1.7.15:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:1.7.15:*:*:*:*:*:*:*
cpe:2.3:a:electronjs:electron:1.8.7:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:1.8.7:*:*:*:*:*:*:*
cpe:2.3:a:electronjs:electron:2.0.7:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:2.0.7:*:*:*:*:*:*:*
cpe:2.3:a:electronjs:electron:3.0.0:beta6:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:3.0.0:beta6:*:*:*:*:*:*
CVE-2018-15685 Exploit https://github.com/matt-/CVE-2018-15685
CVE-2018-15685 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/remote/45272.txt
GHSA-hv9c-qwqg-qj3v https://github.com/advisories/GHSA-hv9c-qwqg-qj3v
Data source Exploit-DB
Date added Aug. 27, 2018
Description Electron WebPreferences - Remote Code Execution
Ransomware campaign use Known
Source publication date Aug. 27, 2018
Exploit type remote
Platform multiple
Source update date Aug. 27, 2018
Source URL https://github.com/matt-/CVE-2018-15685
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://electronjs.org/blog/web-preferences-fix
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/electron/electron
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/electron/electron/commit/519a02d8d4d28e8a467acb40fb26172a80c9454f
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/electron/electron/commit/80221e52d93a96ea704cb6748ead669c55cff504
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/electron/electron/commit/bab968ca776be28791e4dddfd50c86bd5fae62fa
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/electron/electron/commit/ef0a6d9a1c96efc4657c6dd3a6624eba969f095b
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2018-15685
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2018-15685
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2018-15685
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.contrastsecurity.com/security-influencers/cve-2018-15685
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.exploit-db.com/exploits/45272
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.npmjs.com/advisories/732
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.93859
EPSS Score 0.13253
Published At July 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T07:58:30.563257+00:00 Npm Importer Import https://github.com/nodejs/security-wg/blob/main/vuln/npm/466.json 37.0.0