Version 33.2.1

electron

:electron: Build cross-platform desktop apps with JavaScript, HTML, and CSS

Install Instructions

npm install electron
Current Version Release Date November 27, 2024
Language JavaScript/TypeScript
Package URL (purl) pkg:npm/electron@33.2.1

Find electron vulnerabilities in your supply chain.

Scan for Free

electron Vulnerabilities

Sort by
icon CVE (Latest)
  • icon CVE (Latest)
  • icon CVE (Oldest)
  • icon CVSS Score (Highest)
  • icon CVSS Score (Lowest)
CVE question mark icon CVSS Score question mark icon CWE(s) question mark icon EPSS Score question mark icon EPSS % question mark icon Impacted Versions
CVE-2017-12581 High 8.1 CWE-78 0.00543 0.78042
  • 1.3.1–1.6.7
  • 0.1.0–0.4.1
CVE-2017-16151 High 9.8 CWE-94 0.01597 0.87888
  • 1.3.1–1.7.7
  • 0.1.0–0.4.1
CVE-2018-1000006 High 8.8 CWE-94, CWE-78, CWE-22 0.97033 0.99807
  • 1.3.1–1.8.2-beta.3
  • 0.1.0–0.4.1
CVE-2018-1000118 High 8.8 CWE-264, CWE-78 0.00149 0.52165
  • 1.3.1–1.8.2-beta.4
  • 0.1.0–0.4.1
CVE-2019-5786 Medium 6.5 CWE-416 0.97233 0.99878
  • 4.0.0–4.0.7
  • 3.0.0–3.1.5
  • 2.0.0–2.0.17
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2020-15096 Medium 6.8 CWE-501 0.00054 0.24397
  • 8.0.0–8.2.3
  • 7.0.0–7.2.3
  • 6.0.0–6.1.10
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2020-15999 Medium 6.5 CWE-787 0.03191 0.91498
  • 10.0.0–10.1.4
  • 9.0.0–9.3.2
  • 8.0.0–8.5.2
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2020-16013 High 8.8 CWE-787 0.00374 0.73513
  • 10.0.0–10.1.5
  • 9.0.0–9.4.4
  • 8.0.0–8.5.5
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2020-16014 High 9.6 CWE-416 0.00161 0.53884
  • 10.0.0–10.1.7
  • 9.0.0–9.3.5
  • 8.0.0–8.5.5
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2020-16015 High 8.8 CWE-843, CWE-787, CWE-20 0.00129 0.49201
  • 10.0.0–10.1.6
  • 9.0.0–9.3.5
  • 8.0.0–8.5.5
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2020-16017 High 9.6 CWE-416 0.00229 0.61853
  • 10.0.0–10.1.5
  • 9.0.0–9.3.4
  • 8.0.0–8.5.3
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2020-16022 High 8.8 CWE-862 0.00118 0.47357
  • 10.0.0–10.1.6
  • 9.0.0–9.3.5
  • 8.0.0–8.5.5
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2020-16023 High 8.8 CWE-416, CWE-787 0.00155 0.53014
  • 10.0.0–10.1.7
  • 9.0.0–9.4.4
  • 8.0.0–8.5.5
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2020-16024 High 9.6 CWE-787 0.00253 0.65531
  • 10.0.0–10.1.7
  • 9.0.0–9.3.5
  • 8.0.0–8.5.5
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2020-16037 High 8.8 CWE-416, CWE-787 0.00159 0.53589
  • 9.0.0–9.4.0
  • 8.0.0–8.5.5
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2020-16040 Medium 6.5 CWE-190, CWE-787, CWE-20 0.37457 0.97309
  • 10.0.0–10.1.7
  • 9.0.0–9.3.5
  • 8.0.0–8.5.5
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2020-16041 High 8.1 CWE-125 0.00125 0.48566
  • 9.0.0–9.4.0
  • 8.0.0–8.5.5
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2020-16042 Medium 6.5 CWE-200, CWE-908 0.0011 0.45578
  • 9.0.0–9.4.0
  • 8.0.0–8.5.5
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2020-16044 High 8.8 CWE-416, CWE-787 0.00155 0.53014
  • 11.0.0–11.2.1
  • 10.0.0–10.4.7
  • 9.0.0–9.4.4
  • 8.0.0–8.5.5
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2020-26272 Medium 6.5 CWE-668 0.00122 0.48052
  • 11.0.0–11.0.5
  • 10.0.0–10.1.7
  • 9.0.0–9.3.5
  • 8.0.0–8.5.5
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2020-4075 High 7.5 CWE-552 0.00178 0.56084
  • 8.0.0–8.2.3
  • 7.0.0–7.2.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2020-4076 High 9 CWE-501 0.0007 0.32092
  • 8.0.0–8.2.3
  • 7.0.0–7.2.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2020-4077 High 9.9 CWE-501 0.00104 0.44025
  • 8.0.0–8.2.3
  • 7.0.0–7.2.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2020-6426 Medium 6.5 CWE-119, CWE-787 0.00259 0.65987
  • 8.0.0–8.2.0
  • 7.0.0–7.2.1
  • 6.0.0–6.1.9
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2020-6427 High 8.8 CWE-416, CWE-787 0.00963 0.83915
  • 8.0.0–8.2.0
  • 7.0.0–7.2.1
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2020-6428 High 8.8 CWE-416, CWE-787 0.00963 0.83915
  • 8.0.0–8.2.0
  • 7.0.0–7.2.1
  • 6.0.0–6.1.9
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2020-6429 High 8.8 CWE-416, CWE-787 0.00963 0.83915
  • 8.0.0–8.1.1
  • 7.0.0–7.2.1
  • 6.0.0–6.1.9
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2020-6449 High 8.8 CWE-416, CWE-787 0.01227 0.85976
  • 8.0.0–8.2.0
  • 7.0.0–7.2.1
  • 6.0.0–6.1.9
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2020-6450 High 8.8 CWE-416, CWE-787 0.00497 0.76974
  • 8.0.0–8.2.0
  • 7.0.0–7.2.1
  • 6.0.0–6.1.9
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2020-6451 High 8.8 CWE-416, CWE-787 0.00582 0.78775
  • 8.0.0–8.2.0
  • 7.0.0–7.2.1
  • 6.0.0–6.1.9
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2020-6452 High 8.8 CWE-787 0.0087 0.83039
  • 8.0.0–8.2.0
  • 7.0.0–7.2.1
  • 6.0.0–6.1.9
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2020-6467 High 8.8 CWE-416, CWE-787 0.00549 0.78162
  • 8.0.0–8.3.0
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2020-6468 High 8.8 CWE-843, CWE-787 0.00524 0.77607
  • 7.0.0–7.3.0
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2021-21118 High 8.8 CWE-119, CWE-20 0.00311 0.70856
  • 11.0.0–11.2.1
  • 10.0.0–10.3.0
  • 9.0.0–9.4.1
  • 8.0.0–8.5.5
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2021-21119 High 8.8 CWE-416 0.00291 0.69851
  • 11.0.0–11.2.0
  • 10.0.0–10.4.7
  • 9.0.0–9.4.3
  • 8.0.0–8.5.5
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2021-21120 High 8.8 CWE-416 0.00312 0.70881
  • 11.0.0–11.2.0
  • 10.0.0–10.4.7
  • 9.0.0–9.4.3
  • 8.0.0–8.5.5
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2021-21123 Medium 6.5 CWE-287, CWE-20 0.00113 0.46296
  • 11.0.0–11.2.0
  • 10.0.0–10.4.7
  • 9.0.0–9.4.3
  • 8.0.0–8.5.5
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2021-21130 Medium 6.5 CWE-287, CWE-20 0.00113 0.46296
  • 11.0.0–11.2.0
  • 10.0.0–10.4.7
  • 9.0.0–9.4.3
  • 8.0.0–8.5.5
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2021-21160 High 8.8 CWE-787 0.00767 0.81849
  • 11.0.0–11.3.0
  • 10.0.0–10.4.0
  • 9.0.0–9.4.4
  • 8.0.0–8.5.5
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2021-21162 High 8.8 CWE-416 0.0091 0.83437
  • 11.0.0–11.3.0
  • 10.0.0–10.4.0
  • 9.0.0–9.4.4
  • 8.0.0–8.5.5
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2021-21165 High 8.8 CWE-119 0.01287 0.86342
  • 11.0.0–11.3.0
  • 10.0.0–10.4.0
  • 9.0.0–9.4.4
  • 8.0.0–8.5.5
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2021-21166 High 8.8 CWE-119 0.03804 0.92175
  • 11.0.0–11.4.0
  • 10.0.0–10.4.0
  • 9.0.0–9.4.4
  • 8.0.0–8.5.5
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2021-21169 High 8.8 CWE-119 0.01287 0.86342
  • 11.0.0–11.4.0
  • 10.0.0–10.4.1
  • 9.0.0–9.4.4
  • 8.0.0–8.5.5
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2021-21172 High 8.1 CWE-453 0.00578 0.78705
  • 11.0.0–11.4.0
  • 10.0.0–10.4.0
  • 9.0.0–9.4.4
  • 8.0.0–8.5.5
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2021-21174 High 8.8 CWE-284 0.01226 0.85968
  • 11.0.0–11.4.0
  • 10.0.0–10.4.2
  • 9.0.0–9.4.4
  • 8.0.0–8.5.5
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2021-21175 Medium 6.5 CWE-346 0.00523 0.77575
  • 11.0.0–11.4.0
  • 10.0.0–10.4.1
  • 9.0.0–9.4.4
  • 8.0.0–8.5.5
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2021-21179 High 8.8 CWE-416 0.0091 0.83437
  • 11.0.0–11.4.0
  • 10.0.0–10.4.1
  • 9.0.0–9.4.4
  • 8.0.0–8.5.5
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2021-21181 Medium 6.5 CWE-200 0.01274 0.86253
  • 11.0.0–11.3.0
  • 10.0.0–10.4.0
  • 9.0.0–9.4.4
  • 8.0.0–8.5.5
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2021-21193 High 8.8 CWE-416 0.01139 0.8532
  • 11.0.0–11.3.0
  • 10.0.0–10.4.0
  • 9.0.0–9.4.4
  • 8.0.0–8.5.5
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2021-21198 High 7.4 CWE-125 0.00452 0.75918
  • 11.0.0–11.4.3
  • 10.0.0–10.4.3
  • 9.0.0–9.4.4
  • 8.0.0–8.5.5
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2021-21202 High 8.6 CWE-416 0.00107 0.45
  • 11.0.0–11.4.3
  • 10.0.0–10.4.3
  • 9.0.0–9.4.4
  • 8.0.0–8.5.5
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2021-21222 Medium 6.5 CWE-787 0.00333 0.71924
  • 12.0.0–12.0.5
  • 11.0.0–11.4.3
  • 10.0.0–10.4.3
  • 9.0.0–9.4.4
  • 8.0.0–8.5.5
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2021-21223 High 9.6 CWE-190 0.0132 0.86518
  • 12.0.0–12.0.5
  • 10.0.0–10.4.3
  • 9.0.0–9.4.4
  • 8.0.0–8.5.5
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2021-21225 High 8.8 CWE-119 0.00973 0.83991
  • 12.0.0–12.0.5
  • 11.0.0–11.4.3
  • 10.0.0–10.4.3
  • 9.0.0–9.4.4
  • 8.0.0–8.5.5
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2021-21226 High 9.6 CWE-416 0.01639 0.88048
  • 12.0.0–12.0.5
  • 11.0.0–11.4.3
  • 10.0.0–10.4.3
  • 9.0.0–9.4.4
  • 8.0.0–8.5.5
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2021-21231 High 8.8 CWE-345 0.01558 0.87704
  • 12.0.0–12.0.5
  • 10.0.0–10.4.3
  • 9.0.0–9.4.4
  • 8.0.0–8.5.5
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2021-30508 High 8.8 CWE-787 0.00312 0.70902
  • 12.0.0–12.0.9
  • 11.0.0–11.4.7
  • 10.0.0–10.4.6
  • 9.0.0–9.4.4
  • 8.0.0–8.5.5
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2021-30510 High 8.8 CWE-416 0.00632 0.7969
  • 12.0.0–12.0.9
  • 11.0.0–11.4.7
  • 10.0.0–10.4.6
  • 9.0.0–9.4.4
  • 8.0.0–8.5.5
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2021-30512 High 8.8 CWE-416 0.00632 0.7969
  • 12.0.0–12.0.9
  • 11.0.0–11.4.7
  • 10.0.0–10.4.6
  • 9.0.0–9.4.4
  • 8.0.0–8.5.5
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2021-30513 High 8.8 CWE-843 0.00632 0.7969
  • 12.0.0–12.0.9
  • 11.0.0–11.4.7
  • 10.0.0–10.4.6
  • 9.0.0–9.4.4
  • 8.0.0–8.5.5
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2021-30515 High 8.8 CWE-416 0.00632 0.7969
  • 12.0.0–12.0.9
  • 11.0.0–11.4.7
  • 10.0.0–10.4.6
  • 9.0.0–9.4.4
  • 8.0.0–8.5.5
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2021-30516 High 8.8 CWE-787 0.00551 0.7819
  • 12.0.0–12.0.9
  • 11.0.0–11.4.7
  • 10.0.0–10.4.6
  • 9.0.0–9.4.4
  • 8.0.0–8.5.5
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2021-30518 High 8.8 CWE-787 0.00551 0.7819
  • 12.0.0–12.0.9
  • 11.0.0–11.4.7
  • 10.0.0–10.4.6
  • 9.0.0–9.4.4
  • 8.0.0–8.5.5
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2021-39184 High 8.6 CWE-862 0.00149 0.52241
  • 13.0.0–13.2.3
  • 12.0.0–12.0.18
  • 11.0.0–11.4.12
  • 10.0.0–10.4.7
  • 9.0.0–9.4.4
  • 8.0.0–8.5.5
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2022-21718 Medium 5 CWE-862, CWE-668 0.00141 0.51137
  • 17.0.0-alpha.1–17.0.0-alpha.5
  • 16.0.0–16.0.5
  • 15.0.0–15.3.4
  • 14.0.0–14.2.3
  • 13.0.0–13.6.3
  • 12.0.0–12.2.3
  • 11.0.0–11.5.0
  • 10.0.0–10.4.7
  • 9.0.0–9.4.4
  • 8.0.0–8.5.5
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2022-29247 High 9.8 CWE-668 0.00261 0.66242
  • 18.0.0-beta.1–18.0.0-beta.5
  • 17.0.0–17.1.2
  • 16.0.0–16.2.5
  • 15.0.0–15.5.4
  • 14.0.0–14.2.9
  • 13.0.0–13.6.9
  • 12.0.0–12.2.3
  • 11.0.0–11.5.0
  • 10.0.0–10.4.7
  • 9.0.0–9.4.4
  • 8.0.0–8.5.5
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2022-29257 High 7.2 CWE-20 0.00095 0.41618
  • 18.0.0-beta.1–18.0.0-beta.5
  • 17.0.0–17.1.2
  • 16.0.0–16.1.1
  • 15.0.0–15.4.2
  • 14.0.0–14.2.9
  • 13.0.0–13.6.9
  • 12.0.0–12.2.3
  • 11.0.0–11.5.0
  • 10.0.0–10.4.7
  • 9.0.0–9.4.4
  • 8.0.0–8.5.5
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2022-36077 Medium 6.1 CWE-522 0.00072 0.33048
  • 20.0.0–20.0.0-beta.13
  • 19.0.0–19.0.10
  • 18.0.0–18.3.6
  • 17.0.0–17.4.11
  • 16.0.0–16.2.8
  • 15.0.0–15.5.7
  • 14.0.0–14.2.9
  • 13.0.0–13.6.9
  • 12.0.0–12.2.3
  • 11.0.0–11.5.0
  • 10.0.0–10.4.7
  • 9.0.0–9.4.4
  • 8.0.0–8.5.5
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2023-29198 High 8.5 CWE-754 0.00089 0.39425
  • 25.0.0-alpha.1
  • 24.0.0–24.0.0-beta.7
  • 23.0.0–23.2.2
  • 22.0.0–22.3.5
  • 21.0.0–21.4.4
  • 20.0.0–20.3.12
  • 19.0.0–19.1.9
  • 18.0.0–18.3.15
  • 17.0.0–17.4.11
  • 16.0.0–16.2.8
  • 15.0.0–15.5.7
  • 14.0.0–14.2.9
  • 13.0.0–13.6.9
  • 12.0.0–12.2.3
  • 11.0.0–11.5.0
  • 10.0.0–10.4.7
  • 9.0.0–9.4.4
  • 8.0.0–8.5.5
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2023-39956 Medium 6.6 CWE-94 0.00043 0.10406
  • 26.0.0-alpha.1–26.0.0-beta.12
  • 25.0.0–25.4.0
  • 24.0.0–24.7.0
  • 23.0.0–23.3.12
  • 22.0.0–22.3.18
  • 21.0.0–21.4.4
  • 20.0.0–20.3.12
  • 19.0.0–19.1.9
  • 18.0.0–18.3.15
  • 17.0.0–17.4.11
  • 16.0.0–16.2.8
  • 15.0.0–15.5.7
  • 14.0.0–14.2.9
  • 13.0.0–13.6.9
  • 12.0.0–12.2.3
  • 11.0.0–11.5.0
  • 10.0.0–10.4.7
  • 9.0.0–9.4.4
  • 8.0.0–8.5.5
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2023-44402 High 7 CWE-345 0.0005 0.2128
  • 27.0.0-alpha.1–27.0.0-alpha.6
  • 26.0.0–26.2.0
  • 25.0.0–25.8.0
  • 24.0.0–24.8.2
  • 23.0.0–23.3.13
  • 22.0.0–22.3.23
  • 21.0.0–21.4.4
  • 20.0.0–20.3.12
  • 19.0.0–19.1.9
  • 18.0.0–18.3.15
  • 17.0.0–17.4.11
  • 16.0.0–16.2.8
  • 15.0.0–15.5.7
  • 14.0.0–14.2.9
  • 13.0.0–13.6.9
  • 12.0.0–12.2.3
  • 11.0.0–11.5.0
  • 10.0.0–10.4.7
  • 9.0.0–9.4.4
  • 8.0.0–8.5.5
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2023-5217 High 8.8 CWE-787 0.31122 0.97112
  • 27.0.0-alpha.1–27.0.0-beta.7
  • 26.0.0–26.2.3
  • 25.0.0–25.8.3
  • 24.0.0–24.8.4
  • 22.0.0–22.3.24
  • 21.0.0–21.4.4
  • 20.0.0–20.3.12
  • 19.0.0–19.1.9
  • 18.0.0–18.3.15
  • 17.0.0–17.4.11
  • 16.0.0–16.2.8
  • 15.0.0–15.5.7
  • 14.0.0–14.2.9
  • 13.0.0–13.6.9
  • 12.0.0–12.2.3
  • 11.0.0–11.5.0
  • 10.0.0–10.4.7
  • 9.0.0–9.4.4
  • 8.0.0–8.5.5
  • 7.0.0–7.3.3
  • 6.0.0–6.1.12
  • 5.0.0–5.0.13
  • 4.0.0–4.2.12
  • 3.0.0–3.1.13
  • 2.0.0–2.1.0-unsupported.20180809
  • 1.3.1–1.8.8
  • 0.1.0–0.4.1
CVE-2018-15685 High 8.1 CWE-1188 0.03846 0.92213
  • 3.0.0-beta.1–3.0.0-beta.6
  • 2.0.0–2.0.8-nightly.20180820
  • 1.7.0–1.8.7
CVE-2017-1000424 Medium 4.3 CWE-19 0.00081 0.3643
  • 1.6.4–1.7.5
CVE-2018-1000136 High 8.1 CWE-228, CWE-19, CWE-20 0.01012 0.84335
  • 2.0.0-beta.1–2.0.0-beta.4
  • 1.7.0–1.8.3
CVE-2016-1202 High 7.8 0.00042 0.05102
  • 0.1.0–0.4.1
CVE-2020-6422 High 8.8 CWE-416, CWE-787 0.00835 0.82668
  • 8.0.0–8.2.0
  • 7.0.0–7.2.1
CVE-2020-6423 High 8.8 CWE-416, CWE-787 0.00965 0.83922
  • 9.0.0-beta.1–9.0.0-beta.9
  • 8.0.0–8.2.1
  • 7.0.0–7.2.1
CVE-2020-6457 High 9.6 CWE-416 0.00269 0.68589
  • 7.0.0–7.2.4
  • 6.0.0–6.1.11
CVE-2020-6458 High 8.8 CWE-787, CWE-125 0.00243 0.6472
  • 8.0.0–8.2.5
  • 7.0.0–7.2.4
CVE-2020-6459 High 8.8 CWE-416, CWE-787 0.00414 0.74742
  • 8.0.0–8.2.5
  • 7.0.0–7.2.4
  • 6.0.0–6.1.11
CVE-2020-6460 Medium 6.5 CWE-20 0.00174 0.55633
  • 8.0.0–8.2.5
  • 7.0.0–7.2.4
  • 6.0.0–6.1.11
CVE-2020-6461 High 9.6 CWE-416 0.00222 0.61228
  • 8.0.0–8.2.5
  • 7.0.0–7.2.4
  • 6.0.0–6.1.11
CVE-2020-6462 High 9.6 CWE-416 0.00222 0.61228
  • 8.0.0–8.2.5
  • 7.0.0–7.2.4
  • 6.0.0–6.1.11
CVE-2020-6463 High 8.8 CWE-416, CWE-787 0.00577 0.78684
  • 8.0.0–8.2.5
  • 7.0.0–7.2.4
  • 6.0.0–6.1.11
CVE-2020-6464 High 8.8 CWE-843, CWE-787 0.00754 0.81661
  • 8.0.0–8.2.5
  • 7.0.0–7.2.4
  • 6.0.0–6.1.11
CVE-2020-6532 High 8.8 CWE-416, CWE-787 0.00416 0.74854
  • 9.0.0–9.2.0
  • 8.0.0–8.5.0
  • 7.0.0–7.3.2
CVE-2020-6831 High 9.8 CWE-787, CWE-120 0.02161 0.89731
  • 8.0.0–8.2.5
  • 7.0.0–7.2.4
  • 6.0.0–6.1.11
CVE-2020-15174 High 7.5 CWE-693, CWE-20 0.00137 0.50504
  • 10.0.0–10.0.0-beta.25
  • 9.0.0–9.2.1
  • 8.0.0–8.5.0
CVE-2020-15215 Medium 5.6 CWE-693, CWE-668 0.00092 0.40882
  • 11.0.0-beta.1–11.0.0-beta.4
  • 10.0.0–10.1.1
  • 9.0.0–9.3.0
  • 8.0.0–8.5.1
CVE-2020-6454 High 8.8 CWE-416, CWE-787 0.00332 0.71917
  • 8.0.0–8.3.4
CVE-2020-6537 High 8.8 CWE-843 0.00479 0.76565
  • 9.0.0–9.2.0
CVE-2022-4135 High 9.6 CWE-787 0.01461 0.8724
  • 19.0.0–19.1.7
CVE-2023-4863 High 8.8 CWE-787 0.44315 0.975
  • 27.0.0-beta.1
  • 26.0.0–26.2.0
  • 25.0.0–25.8.0
  • 24.0.0–24.8.2
  • 22.0.0–22.3.23
CVE-2023-23623 High 9.8 CWE-670 0.0017 0.55113
  • 23.0.0-alpha.1
  • 22.0.0–22.0.0-beta.8

electron Vulnerability Remediation Guidance

CVE Description Full list of Impacted Versions Fix
CVE-2023-5217 Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2023-4863 Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical) 22.0.1, 22.3.18, 25.8.0, 24.8.2, 26.1.0, 24.6.1, 24.6.0, 24.5.1 (Show all) Minor → 22.3.25
CVE-2023-44402 Electron is an open source framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. This only impacts apps that have the `embeddedAsarIntegrityValidation` and `onlyLoadAppFromAsar` fuses enabled. Apps without these fuses enabled are not impacted. This issue is specific to macOS as these fuses are only currently supported on macOS. Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the `.app` bundle on macOS which these fuses are supposed to protect against. There are no app side workarounds, you must update to a patched version of Electron. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2023-39956 Electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Electron apps that are launched as command line executables are impacted. Specifically this issue can only be exploited if the following conditions are met: 1. The app is launched with an attacker-controlled working directory and 2. The attacker has the ability to write files to that working directory. This makes the risk quite low, in fact normally issues of this kind are considered outside of our threat model as similar to Chromium we exclude Physically Local Attacks but given the ability for this issue to bypass certain protections like ASAR Integrity it is being treated with higher importance. This issue has been fixed in versions:`26.0.0-beta.13`, `25.4.1`, `24.7.1`, `23.3.13`, and `22.3.19`. There are no app side workarounds, users must update to a patched version of Electron. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2023-29198 Electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Electron apps using `contextIsolation` and `contextBridge` are affected. This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. This issue is only exploitable if an API exposed to the main world via `contextBridge` can return an object or array that contains a javascript object which cannot be serialized, for instance, a canvas rendering context. This would normally result in an exception being thrown `Error: object could not be cloned`. The app side workaround is to ensure that such a case is not possible. Ensure all values returned from a function exposed over the context bridge are supported. This issue has been fixed in versions `25.0.0-alpha.2`, `24.0.1`, `23.2.3`, and `22.3.6`. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2023-23623 Electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. A Content-Security-Policy that disables eval, specifically setting a `script-src` directive and _not_ providing `unsafe-eval` in that directive, is not respected in renderers that have sandbox disabled. i.e. `sandbox: false` in the `webPreferences` object. This allows usage of methods like `eval()` and `new Function` unexpectedly which can result in an expanded attack surface. This issue only ever affected the 22 and 23 major versions of Electron and has been fixed in the latest versions of those release lines. Specifically, these versions contain the fixes: 22.0.1 and 23.0.0-alpha.2 We recommend all apps upgrade to the latest stable version of Electron. If upgrading isn't possible, this issue can be addressed without upgrading by enabling `sandbox: true` on all renderers. 22.0.0-beta.4, 23.0.0-alpha.1, 22.0.0-beta.5, 22.0.0-beta.7, 22.0.0-beta.2, 22.0.0-beta.1, 22.0.0-beta.8, 22.0.0-beta.3 (Show all) Major → 22.3.25
CVE-2022-4135 Heap buffer overflow in GPU in Google Chrome prior to 107.0.5304.121 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) 19.0.7, 19.0.0, 19.0.10, 19.0.3, 19.0.2, 19.0.4, 19.0.8, 19.0.1 (Show all) Major → 22.3.25
CVE-2022-36077 The Electron framework enables writing cross-platform desktop applications using JavaScript, HTML and CSS. In versions prior to 21.0.0-beta.1, 20.0.1, 19.0.11, and 18.3.7, Electron is vulnerable to Exposure of Sensitive Information. When following a redirect, Electron delays a check for redirecting to file:// URLs from other schemes. The contents of the file is not available to the renderer following the redirect, but if the redirect target is a SMB URL such as `file://some.website.com/`, then in some cases, Windows will connect to that server and attempt NTLM authentication, which can include sending hashed credentials.This issue has been patched in versions: 21.0.0-beta.1, 20.0.1, 19.0.11, and 18.3.7. Users are recommended to upgrade to the latest stable version of Electron. If upgrading isn't possible, this issue can be addressed without upgrading by preventing redirects to file:// URLs in the `WebContents.on('will-redirect')` event, for all WebContents as a workaround. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2022-29257 Electron is a framework for writing cross-platform desktop applications using JavaScript (JS), HTML, and CSS. A vulnerability in versions prior to 18.0.0-beta.6, 17.2.0, 16.2.6, and 15.5.5 allows attackers who have control over a given apps update server / update storage to serve maliciously crafted update packages that pass the code signing validation check but contain malicious code in some components. This kind of attack would require significant privileges in a potential victim's own auto updating infrastructure and the ease of that attack entirely depends on the potential victim's infrastructure security. Electron versions 18.0.0-beta.6, 17.2.0, 16.2.6, and 15.5.5 contain a fix for this issue. There are no known workarounds. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2022-29247 Electron is a framework for writing cross-platform desktop applications using JavaScript (JS), HTML, and CSS. A vulnerability in versions prior to 18.0.0-beta.6, 17.2.0, 16.2.6, and 15.5.5 allows a renderer with JS execution to obtain access to a new renderer process with `nodeIntegrationInSubFrames` enabled which in turn allows effective access to `ipcRenderer`. The `nodeIntegrationInSubFrames` option does not implicitly grant Node.js access. Rather, it depends on the existing sandbox setting. If an application is sandboxed, then `nodeIntegrationInSubFrames` just gives access to the sandboxed renderer APIs, which include `ipcRenderer`. If the application then additionally exposes IPC messages without IPC `senderFrame` validation that perform privileged actions or return confidential data this access to `ipcRenderer` can in turn compromise your application / user even with the sandbox enabled. Electron versions 18.0.0-beta.6, 17.2.0, 16.2.6, and 15.5.5 contain a fix for this issue. As a workaround, ensure that all IPC message handlers appropriately validate `senderFrame`. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2022-21718 Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to `17.0.0-alpha.6`, `16.0.6`, `15.3.5`, `14.2.4`, and `13.6.6` allows renderers to obtain access to a bluetooth device via the web bluetooth API if the app has not configured a custom `select-bluetooth-device` event handler. This has been patched and Electron versions `17.0.0-alpha.6`, `16.0.6`, `15.3.5`, `14.2.4`, and `13.6.6` contain the fix. Code from the GitHub Security Advisory can be added to the app to work around the issue. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2021-39184 Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to 11.5.0, 12.1.0, and 13.3.0 allows a sandboxed renderer to request a "thumbnail" image of an arbitrary file on the user's system. The thumbnail can potentially include significant parts of the original file, including textual data in many cases. Versions 15.0.0-alpha.10, 14.0.0, 13.3.0, 12.1.0, and 11.5.0 all contain a fix for the vulnerability. Two workarounds aside from upgrading are available. One may make the vulnerability significantly more difficult for an attacker to exploit by enabling `contextIsolation` in one's app. One may also disable the functionality of the `createThumbnailFromPath` API if one does not need it. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2021-30518 Heap buffer overflow in Reader Mode in Google Chrome prior to 90.0.4430.212 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2021-30516 Heap buffer overflow in History in Google Chrome prior to 90.0.4430.212 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2021-30515 Use after free in File API in Google Chrome prior to 90.0.4430.212 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2021-30513 Type confusion in V8 in Google Chrome prior to 90.0.4430.212 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2021-30512 Use after free in Notifications in Google Chrome prior to 90.0.4430.212 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2021-30510 Use after free in Aura in Google Chrome prior to 90.0.4430.212 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2021-30508 Heap buffer overflow in Media Feeds in Google Chrome prior to 90.0.4430.212 allowed an attacker who convinced a user to enable certain features in Chrome to potentially exploit heap corruption via a crafted HTML page. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2021-21231 Insufficient data validation in V8 in Google Chrome prior to 90.0.4430.93 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2021-21226 Use after free in navigation in Google Chrome prior to 90.0.4430.85 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2021-21225 Out of bounds memory access in V8 in Google Chrome prior to 90.0.4430.85 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2021-21223 Integer overflow in Mojo in Google Chrome prior to 90.0.4430.85 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2021-21222 Heap buffer overflow in V8 in Google Chrome prior to 90.0.4430.85 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2021-21202 Use after free in extensions in Google Chrome prior to 90.0.4430.72 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2021-21198 Out of bounds read in IPC in Google Chrome prior to 89.0.4389.114 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2021-21193 Use after free in Blink in Google Chrome prior to 89.0.4389.90 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2021-21181 Side-channel information leakage in autofill in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2021-21179 Use after free in Network Internals in Google Chrome on Linux prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2021-21175 Inappropriate implementation in Site isolation in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to leak cross-origin data via a crafted HTML page. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2021-21174 Inappropriate implementation in Referrer in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2021-21172 Insufficient policy enforcement in File System API in Google Chrome on Windows prior to 89.0.4389.72 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2021-21169 Out of bounds memory access in V8 in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2021-21166 Data race in audio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2021-21165 Data race in audio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2021-21162 Use after free in WebRTC in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2021-21160 Heap buffer overflow in WebAudio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2021-21130 Insufficient policy enforcement in File System API in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2021-21123 Insufficient data validation in File System API in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2021-21120 Use after free in WebSQL in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2021-21119 Use after free in Media in Google Chrome prior to 88.0.4324.96 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2021-21118 Insufficient data validation in V8 in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2020-6831 A buffer overflow could occur when parsing and validating SCTP chunks in WebRTC. This could have led to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0. 7.1.1, 7.1.4, 8.2.2, 7.1.8, 6.1.10, 7.1.10, 7.2.2, 7.0.1 (Show all) Major → 22.3.25
CVE-2020-6537 Type confusion in V8 in Google Chrome prior to 84.0.4147.105 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. 9.0.3, 9.0.4, 9.2.0, 9.1.2, 9.0.0, 9.1.1, 9.0.1, 9.1.0 (Show all) Major → 22.3.25
CVE-2020-6532 Use after free in SCTP in Google Chrome prior to 84.0.4147.105 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 7.1.1, 7.1.4, 8.2.2, 7.1.8, 7.3.0, 7.1.10, 7.2.2, 7.3.2 (Show all) Major → 22.3.25
CVE-2020-6468 Type confusion in V8 in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2020-6467 Use after free in WebRTC in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2020-6464 Type confusion in Blink in Google Chrome prior to 81.0.4044.138 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 7.1.1, 7.1.4, 8.2.2, 7.1.8, 6.1.10, 7.1.10, 7.2.2, 7.0.1 (Show all) Major → 22.3.25
CVE-2020-6463 Use after free in ANGLE in Google Chrome prior to 81.0.4044.122 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 7.1.1, 7.1.4, 8.2.2, 7.1.8, 6.1.10, 7.1.10, 7.2.2, 7.0.1 (Show all) Major → 22.3.25
CVE-2020-6462 Use after free in task scheduling in Google Chrome prior to 81.0.4044.129 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. 7.1.1, 7.1.4, 8.2.2, 7.1.8, 6.1.10, 7.1.10, 7.2.2, 7.0.1 (Show all) Major → 22.3.25
CVE-2020-6461 Use after free in storage in Google Chrome prior to 81.0.4044.129 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. 7.1.1, 7.1.4, 8.2.2, 7.1.8, 6.1.10, 7.1.10, 7.2.2, 7.0.1 (Show all) Major → 22.3.25
CVE-2020-6460 Insufficient data validation in URL formatting in Google Chrome prior to 81.0.4044.122 allowed a remote attacker to perform domain spoofing via a crafted domain name. 7.1.1, 7.1.4, 8.2.2, 7.1.8, 6.1.10, 7.1.10, 7.2.2, 7.0.1 (Show all) Major → 22.3.25
CVE-2020-6459 Use after free in payments in Google Chrome prior to 81.0.4044.122 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 7.1.1, 7.1.4, 8.2.2, 7.1.8, 6.1.10, 7.1.10, 7.2.2, 7.0.1 (Show all) Major → 22.3.25
CVE-2020-6458 Out of bounds read and write in PDFium in Google Chrome prior to 81.0.4044.122 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. 7.1.1, 7.1.4, 8.2.2, 7.1.8, 7.1.10, 7.2.2, 7.0.1, 8.2.3 (Show all) Major → 22.3.25
CVE-2020-6457 Use after free in speech recognizer in Google Chrome prior to 81.0.4044.113 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. 7.1.1, 7.1.4, 7.1.8, 6.1.10, 7.1.10, 7.2.2, 7.0.1, 6.1.2 (Show all) Major → 22.3.25
CVE-2020-6454 Use after free in extensions in Google Chrome prior to 81.0.4044.92 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension. 8.2.2, 8.3.4, 8.2.3, 8.2.0, 8.3.3, 8.0.3, 8.3.1, 8.3.2 (Show all) Major → 22.3.25
CVE-2020-6452 Heap buffer overflow in media in Google Chrome prior to 80.0.3987.162 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2020-6451 Use after free in WebAudio in Google Chrome prior to 80.0.3987.162 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2020-6450 Use after free in WebAudio in Google Chrome prior to 80.0.3987.162 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2020-6449 Use after free in audio in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2020-6429 Use after free in audio in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2020-6428 Use after free in audio in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2020-6427 Use after free in audio in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2020-6426 Inappropriate implementation in V8 in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2020-6423 Use after free in audio in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 7.1.1, 7.1.4, 9.0.0-beta.7, 7.1.8, 7.1.10, 7.0.1, 8.2.0, 8.0.3 (Show all) Major → 22.3.25
CVE-2020-6422 Use after free in WebGL in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 7.1.1, 7.1.4, 7.1.8, 7.1.10, 7.0.1, 8.2.0, 8.0.3, 7.1.6 (Show all) Major → 22.3.25
CVE-2020-4077 In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using both `contextIsolation` and `contextBridge` are affected. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2020-4076 In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using contextIsolation are affected. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2020-4075 In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, arbitrary local file read is possible by defining unsafe window options on a child window opened via window.open. As a workaround, ensure you are calling `event.preventDefault()` on all new-window events where the `url` or `options` is not something you expect. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2020-26272 The Electron framework lets you write cross-platform desktop applications using JavaScript, HTML and CSS. In affected versions of Electron IPC messages sent from the main process to a subframe in the renderer process, through webContents.sendToFrame, event.reply or when using the remote module, can in some cases be delivered to the wrong frame. If your app uses remote, calls webContents.sendToFrame, or calls event.reply in an IPC message handler then it is impacted by this issue. This has been fixed in versions 9.4.0, 10.2.0, 11.1.0, and 12.0.0-beta.9. There are no workarounds for this issue. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2020-16044 Use after free in WebRTC in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to potentially exploit heap corruption via a crafted SCTP packet. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2020-16042 Uninitialized Use in V8 in Google Chrome prior to 87.0.4280.88 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2020-16041 Out of bounds read in networking in Google Chrome prior to 87.0.4280.88 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2020-16040 Insufficient data validation in V8 in Google Chrome prior to 87.0.4280.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2020-16037 Use after free in clipboard in Google Chrome prior to 87.0.4280.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2020-16024 Heap buffer overflow in UI in Google Chrome prior to 87.0.4280.66 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2020-16023 Use after free in WebCodecs in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2020-16022 Insufficient policy enforcement in networking in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to potentially bypass firewall controls via a crafted HTML page. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2020-16017 Use after free in site isolation in Google Chrome prior to 86.0.4240.198 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2020-16015 Insufficient data validation in WASM in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2020-16014 Use after free in PPAPI in Google Chrome prior to 87.0.4280.66 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2020-16013 Inappropriate implementation in V8 in Google Chrome prior to 86.0.4240.198 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2020-15999 Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2020-15215 Electron before versions 11.0.0-beta.6, 10.1.2, 9.3.1 or 8.5.2 is vulnerable to a context isolation bypass. Apps using both `contextIsolation` and `sandbox: true` are affected. Apps using both `contextIsolation` and `nodeIntegrationInSubFrames: true` are affected. This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. 9.0.0-beta.7, 8.2.2, 8.0.0-beta.7, 8.0.0-beta.3, 10.0.0-beta.9, 9.3.0, 10.0.0, 10.0.0-beta.14 (Show all) Major → 22.3.25
CVE-2020-15174 In Electron before versions 11.0.0-beta.1, 10.0.1, 9.3.0 or 8.5.1 the `will-navigate` event that apps use to prevent navigations to unexpected destinations as per our security recommendations can be bypassed when a sub-frame performs a top-frame navigation across sites. The issue is patched in versions 11.0.0-beta.1, 10.0.1, 9.3.0 or 8.5.1 As a workaround sandbox all your iframes using the sandbox attribute. This will prevent them creating top-frame navigations and is good practice anyway. 9.0.0-beta.7, 8.2.2, 8.0.0-beta.7, 8.0.0-beta.3, 10.0.0-beta.9, 10.0.0, 10.0.0-beta.14, 9.0.0-beta.12 (Show all) Major → 22.3.25
CVE-2020-15096 In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using "contextIsolation" are affected. There are no app-side workarounds, you must update your Electron version to be protected. This is fixed in versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2019-5786 Object lifetime issue in Blink in Google Chrome prior to 72.0.3626.121 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. 1.5.0, 2.0.4, 1.6.1, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 1.4.12, 1.4.16 (Show all) Major → 22.3.25
CVE-2018-15685 GitHub Electron 1.7.15, 1.8.7, 2.0.7, and 3.0.0-beta.6, in certain scenarios involving IFRAME elements and "nativeWindowOpen: true" or "sandbox: true" options, is affected by a WebPreferences vulnerability that can be leveraged to perform remote code execution. 2.0.4, 2.0.8-nightly.20180819, 1.7.5, 1.7.1, 2.0.2, 1.7.10, 1.7.6, 1.7.14 (Show all) Major → 22.3.25
CVE-2018-1000136 Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3 contains an improper handling of values vulnerability in Webviews that can result in remote code execution. This attack appear to be exploitable via an app which allows execution of 3rd party code AND disallows node integration AND has not specified if webview is enabled/disabled. This vulnerability appears to have been fixed in 1.7.13, 1.8.4, 2.0.0-beta.4. 1.7.5, 1.7.1, 2.0.0-beta.2, 1.7.10, 1.7.6, 1.8.1, 1.8.2-beta.1, 1.7.2 (Show all) Major → 22.3.25
CVE-2018-1000118 Github Electron version Electron 1.8.2-beta.4 and earlier contains a Command Injection vulnerability in Protocol Handler that can result in command execute. This attack appear to be exploitable via the victim opening an electron protocol handler in their browser. This vulnerability appears to have been fixed in Electron 1.8.2-beta.5. This issue is due to an incomplete fix for CVE-2018-1000006, specifically the black list used was not case insensitive allowing an attacker to potentially bypass it. 1.5.0, 1.6.1, 1.7.5, 1.7.1, 1.4.12, 1.4.16, 1.3.1, 1.6.10 (Show all) Major → 22.3.25
CVE-2018-1000006 GitHub Electron versions 1.8.2-beta.3 and earlier, 1.7.10 and earlier, 1.6.15 and earlier has a vulnerability in the protocol handler, specifically Electron apps running on Windows 10, 7 or 2008 that register custom protocol handlers can be tricked in arbitrary command execution if the user clicks on a specially crafted URL. This has been fixed in versions 1.8.2-beta.4, 1.7.11, and 1.6.16. 1.5.0, 1.6.1, 1.7.5, 1.7.1, 1.4.12, 1.4.16, 1.3.1, 1.6.10 (Show all) Major → 22.3.25
CVE-2017-16151 Based on details posted by the ElectronJS team; A remote code execution vulnerability has been discovered in Google Chromium that affects all recent versions of Electron. Any Electron app that accesses remote content is vulnerable to this exploit, regardless of whether the [sandbox option](https://electron.atom.io/docs/api/sandbox-option) is enabled. 1.5.0, 1.6.1, 1.7.5, 1.7.1, 1.4.12, 1.4.16, 1.3.1, 1.6.10 (Show all) Major → 22.3.25
CVE-2017-12581 GitHub Electron before 1.6.8 allows remote command execution because of a nodeIntegration bypass vulnerability. This also affects all applications that bundle Electron code equivalent to 1.6.8 or earlier. Bypassing the Same Origin Policy (SOP) is a precondition; however, recent Electron versions do not have strict SOP enforcement. Combining an SOP bypass with a privileged URL internally used by Electron, it was possible to execute native Node.js primitives in order to run OS commands on the user's host. Specifically, a chrome-devtools://devtools/bundled/inspector.html window could be used to eval a Node.js child_process.execFile API call. 1.5.0, 1.6.1, 1.4.12, 1.4.16, 1.3.1, 1.4.11, 1.6.4, 1.6.7 (Show all) Major → 22.3.25
CVE-2017-1000424 Github Electron version 1.6.4 - 1.6.11 and 1.7.0 - 1.7.5 is vulnerable to a URL Spoofing problem when opening PDFs in PDFium resulting loading arbitrary PDFs that a hacker can control. 1.7.5, 1.7.1, 1.6.10, 1.6.9, 1.6.4, 1.6.11, 1.6.8, 1.6.7 (Show all) Major → 22.3.25
CVE-2016-1202 Untrusted search path vulnerability in Atom Electron before 0.33.5 allows local users to gain privileges via a Trojan horse Node.js module in a parent directory of a directory named on a require line. 0.4.1, 0.4.0, 0.3.0, 0.2.1, 0.1.2, 0.2.0, 0.1.1, 0.1.0 Major → 22.3.25

Instantly see if these electron vulnerabilities affect your code.

Scan for Free