Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

electron — Vulnerabilities & Security Advisories 38

Browse all 38 CVE security advisories affecting electron. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Electron is an open-source framework enabling developers to build cross-platform desktop applications using web technologies like HTML, CSS, and JavaScript. By embedding the Chromium engine and Node.js runtime, it allows web code to interact directly with the operating system, creating a significant attack surface. Historically, vulnerabilities within this architecture frequently lead to Remote Code Execution (RCE) and Cross-Site Scripting (XSS), often stemming from improper handling of IPC channels or insecure default configurations. With 38 recorded CVEs, the framework has faced scrutiny regarding privilege escalation risks when applications fail to properly sandbox web content. While not inherently malicious, the complexity of integrating web and native APIs has resulted in notable security incidents where attackers exploited these interfaces to gain unauthorized system access. Developers must rigorously enforce security policies to mitigate these inherent risks associated with the hybrid nature of Electron-based software.

Top products by electron: electron packager
CVE IDTitleCVSSSeverityPublished
CVE-2026-34781 Electron crashes in clipboard.readImage() on malformed clipboard image data — electronCWE-476 2.8 Low2026-04-07
CVE-2026-34765 Electron named window.open targets not scoped to the opener's browsing context — electronCWE-668 6.0 Medium2026-04-07
CVE-2026-34764 Electron has a use-after-free in offscreen shared texture release() callback — electronCWE-416 2.3 Low2026-04-06
CVE-2026-34780 Electron: Context Isolation bypass via contextBridge VideoFrame transfer — electronCWE-668 8.4 High2026-04-04
CVE-2026-34779 Electron: AppleScript injection in app.moveToApplicationsFolder on macOS — electronCWE-78 6.5 Medium2026-04-04
CVE-2026-34778 Electron: Service worker can spoof executeJavaScript IPC replies — electronCWE-290 5.9 Medium2026-04-03
CVE-2026-34777 Electron: Incorrect origin passed to permission request handler for iframe requests — electronCWE-346 5.4 Medium2026-04-03
CVE-2026-34776 Electron: Out-of-bounds read in second-instance IPC on macOS and Linux — electronCWE-125 5.3 Medium2026-04-03
CVE-2026-34775 Electron: nodeIntegrationInWorker not correctly scoped in shared renderer processes — electronCWE-653 6.8 Medium2026-04-03
CVE-2026-34774 Electron: Use-after-free in offscreen child window paint callback — electronCWE-416 8.1 High2026-04-03
CVE-2026-34773 Electron: Registry key path injection in app.setAsDefaultProtocolClient on Windows — electronCWE-20 4.7 Medium2026-04-03
CVE-2026-34772 Electron: Use-after-free in download save dialog callback — electronCWE-416 5.8 Medium2026-04-03
CVE-2026-34771 Electron: Use-after-free in WebContents fullscreen, pointer-lock, and keyboard-lock permission callbacks — electronCWE-416 7.5 High2026-04-03
CVE-2026-34770 Electron: Use-after-free in PowerMonitor on Windows and macOS — electronCWE-416 7.0 High2026-04-03
CVE-2026-34768 Electron: Unquoted executable path in app.setLoginItemSettings on Windows — electronCWE-428 3.9 Low2026-04-03
CVE-2026-34767 Electron: HTTP Response Header Injection in custom protocol handlers and webRequest — electronCWE-74 5.9 Medium2026-04-03
CVE-2026-34766 Electron: USB device selection not validated against filtered device list — electronCWE-862 3.3 Low2026-04-03
CVE-2026-34769 Electron: Renderer command-line switch injection via undocumented commandLineSwitches webPreference — electronCWE-88 7.8 High2026-04-03
CVE-2025-55305 Electron is vulnerable to Code Injection via resource modification — electronCWE-94 6.1 Medium2025-09-04
CVE-2024-46993 Electron Vulnerable to Heap Buffer Overflow in NativeImage::CreateFromPath — electronCWE-122 8.0AIHighAI2025-07-01
CVE-2024-46992 Electron ASAR Integrity bypass by just modifying the content — electronCWE-354 7.8 High2025-07-01
CVE-2024-29900 @electron/packager's build process memory potentially leaked into final executable — packagerCWE-402 7.5 High2024-03-29
CVE-2023-44402 ASAR Integrity bypass via filetype confusion in electron — electronCWE-345 6.1 Medium2023-12-01
CVE-2023-23623 Content-Secrity-Policy disabling eval not applied consistently in renderers with sandbox disabled in Electron — electronCWE-670 7.5 High2023-09-06
CVE-2023-29198 Context isolation bypass via nested unserializable return value in Electron — electronCWE-754 6.0 Medium2023-09-06
CVE-2023-39956 Electron: Out-of-package code execution when launched with arbitrary cwd — electronCWE-94 6.1 Medium2023-09-06
CVE-2022-36077 Electron subject to Exfiltration of hashed SMB credentials on Windows via file:// redirect — electronCWE-522 7.2 High2022-11-08
CVE-2022-29257 Electron's AutoUpdater module fails to validate certain nested components of the bundle — electronCWE-20 6.6 Medium2022-06-13
CVE-2022-29247 Exposure of Resource to Wrong Sphere in Electron — electronCWE-668 2.2 Low2022-06-13
CVE-2022-21718 Renderers can obtain access to random bluetooth device without permission in Electron — electronCWE-668 3.4 Low2022-03-22

This page lists every published CVE security advisory associated with electron. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.