pkg:npm/electron

48 total CVEsCRITICAL2HIGH18MEDIUM21LOW6

✅ Check your installed version

All known vulnerabilities

  • CRITICAL9.6CVE-2022-4135⚠ KEVHeap buffer overflow in GPU
    >= 19.0.0, < 19.1.8
  • HIGH8.8CVE-2023-5217⚠ KEVElectron affected by libvpx's heap buffer overflow in vp8 encoding
    from 0, < 22.3.25
  • HIGH8.8CVE-2023-4863⚠ KEVlibwebp: OOB write in BuildHuffmanTable
    >= 22.0.0, < 22.3.24
  • CRITICAL9.8CVE-2017-16151Chromium Remote Code Execution in electron
    from 0, < 1.6.14
  • HIGH8.8CVE-2018-1000118Electron protocol handler browser vulnerable to Command Injection
    from 0, < 1.8.2-beta5
  • HIGH8.8CVE-2018-1000006Remote Code Execution in electron
    >= 1.7.0, < 1.7.11
  • HIGH8.3CVE-2026-34780Electron: Context Isolation bypass via contextBridge VideoFrame transfer
    >= 39.0.0-alpha.1, < 39.8.0
  • HIGH8.1CVE-2026-34774Electron: Use-after-free in offscreen child window paint callback
    from 0, < 39.8.1
  • HIGH8.1CVE-2017-12581Electron vulnerable to remote command execution
    from 0, < 1.6.8
  • HIGH8.1CVE-2018-15685Electron webPreferences vulnerability can be used to perform remote code execution
    >= 1.7.0, < 1.7.16
  • HIGH8.1CVE-2018-1000136Electron Vulnerable to Code Execution by Re-Enabling Node.js Integration
    >= 1.7.0, < 1.7.13
  • HIGH7.8CVE-2024-46992electron ASAR Integrity bypass by just modifying the content
    >= 30.0.0-alpha.1, < 30.0.5
  • HIGH7.8CVE-2020-4076Context isolation bypass via leaked cross-context objects in Electron
    from 0, < 7.2.4
  • HIGH7.8CVE-2016-1202High severity vulnerability that affects electron
    from 0, < 0.33.5
  • HIGH7.7CVE-2026-34769Electron: Renderer command-line switch injection via undocumented commandLineSwitches webPreference
    from 0, < 38.8.6
  • HIGH7.7CVE-2020-4077Context isolation bypass via contextBridge in Electron
    from 0, < 7.2.4
  • HIGH7.5CVE-2026-34771Electron: Use-after-free in WebContents fullscreen, pointer-lock, and keyboard-lock permission callbacks
    from 0, < 38.8.6
  • HIGH7.5CVE-2023-23623Electron's Content-Secrity-Policy disabling eval not applied consistently in renderers with sandbox disabled
    >= 22.0.0-beta.1, < 22.0.1
  • HIGH7.5CVE-2020-15174Unpreventable top-level navigation
    >= 8.0.0-beta.0, < 8.5.1
  • HIGH7.0CVE-2026-34770Electron: Use-after-free in PowerMonitor on Windows and macOS
    from 0, < 38.8.6
  • MEDIUM6.8CVE-2026-34775Electron: nodeIntegrationInWorker not correctly scoped in shared renderer processes
    from 0, < 38.8.6
  • MEDIUM6.8CVE-2021-39184Electron's sandboxed renderers can obtain thumbnails of arbitrary files through the nativeImage API
    from 0, < 11.5.0
  • MEDIUM6.8CVE-2020-4075Arbitrary file read via window-open IPC in Electron
    from 0, < 7.2.4
  • MEDIUM6.8CVE-2020-15096Context isolation bypass via Promise in Electron
    from 0, < 6.1.11
  • MEDIUM6.6CVE-2022-29257AutoUpdater module fails to validate certain nested components of the bundle
    from 0, < 15.5.0
  • MEDIUM6.5CVE-2026-34779Electron: AppleScript injection in app.moveToApplicationsFolder on macOS
    from 0, < 38.8.6
  • MEDIUM6.1CVE-2025-55305Electron has ASAR Integrity Bypass via resource modification
    from 0, < 35.7.5
  • MEDIUM6.1CVE-2023-44402ASAR Integrity bypass via filetype confusion in electron
    from 0, < 22.3.24
  • MEDIUM6.1CVE-2023-39956Electron vulnerable to out-of-package code execution when launched with arbitrary cwd
    from 0, < 22.3.19
  • MEDIUM6.0CVE-2026-34765Electron: Named window.open targets not scoped to the opener's browsing context
    from 0, < 39.8.5
  • MEDIUM6.0CVE-2023-29198Electron context isolation bypass via nested unserializable return value
    from 0, < 22.3.6
  • MEDIUM5.9CVE-2026-34778Electron: Service worker can spoof executeJavaScript IPC replies
    from 0, < 38.8.6
  • MEDIUM5.9CVE-2026-34767Electron: HTTP Response Header Injection in custom protocol handlers and webRequest
    from 0, < 38.8.6
  • MEDIUM5.8CVE-2026-34772Electron: Use-after-free in download save dialog callback
    from 0, < 38.8.6
  • MEDIUM5.6CVE-2020-15215Context isolation bypass in Electron
    >= 8.0.0-beta.0, < 8.5.2
  • MEDIUM5.4CVE-2026-34777Electron: Incorrect origin passed to permission request handler for iframe requests
    from 0, < 38.8.6
  • MEDIUM5.4CVE-2022-36077Exfiltration of hashed SMB credentials on Windows via file:// redirect
    from 0, < 18.3.7
  • MEDIUM5.4CVE-2020-26272IPC messages delivered to the wrong frame in Electron
    from 0, < 9.4.0
  • MEDIUM5.3CVE-2026-34776Electron: Out-of-bounds read in second-instance IPC on macOS and Linux
    from 0, < 38.8.6
  • MEDIUM4.7CVE-2026-34773Electron: Registry key path injection in app.setAsDefaultProtocolClient on Windows
    from 0, < 38.8.6
  • MEDIUM4.3CVE-2017-1000424Electron vulnerable to URL spoofing via PDFium
    >= 1.7.0, < 1.7.6
  • LOW3.9CVE-2026-34768Electron: Unquoted executable path in app.setLoginItemSettings on Windows
    from 0, < 38.8.6
  • LOW3.4CVE-2022-21718Renderers can obtain access to random bluetooth device without permission in Electron
    from 0, < 13.6.6
  • LOW3.3CVE-2026-34766Electron: USB device selection not validated against filtered device list
    from 0, < 38.8.6
  • LOW2.8CVE-2026-34781Electron: Crash in clipboard.readImage() on malformed clipboard image data
    from 0, < 39.8.5
  • LOW2.3CVE-2026-34764Electron: Use-after-free in offscreen shared texture release() callback
    >= 33.0.0-alpha.1, < 39.8.5
  • LOW2.2CVE-2022-29247Compromised child renderer processes could obtain IPC access without nodeIntegrationInSubFrames being enabled
    from 0, < 15.5.5
  • CVE-2024-46993Electron vulnerable to Heap Buffer Overflow in NativeImage
    from 0, < 28.3.2