electron (npm) security advisories

MEDIUM 6.0

npm

CVE-2026-34765

Electron: Named window.open targets not scoped to the opener's browsing context

Apr 7, 2026

LOW 2.8

npm

CVE-2026-34781

Electron: Crash in clipboard.readImage() on malformed clipboard image data

Apr 7, 2026

LOW 2.3

npm

CVE-2026-34764

Electron: Use-after-free in offscreen shared texture release() callback

Apr 3, 2026

MEDIUM 5.9

npm

CVE-2026-34767

Electron: HTTP Response Header Injection in custom protocol handlers and webRequest

Apr 3, 2026

HIGH 7.0

npm

CVE-2026-34770

Electron: Use-after-free in PowerMonitor on Windows and macOS

Apr 3, 2026

MEDIUM 5.3

npm

CVE-2026-34776

Electron: Out-of-bounds read in second-instance IPC on macOS and Linux

Apr 3, 2026

MEDIUM 6.5

npm

CVE-2026-34779

Electron: AppleScript injection in app.moveToApplicationsFolder on macOS

Apr 3, 2026

MEDIUM 6.8

npm

CVE-2026-34775

Electron: nodeIntegrationInWorker not correctly scoped in shared renderer processes

Apr 3, 2026

MEDIUM 5.9

npm

CVE-2026-34778

Electron: Service worker can spoof executeJavaScript IPC replies

Apr 3, 2026

HIGH 8.1

npm

CVE-2026-34774

Electron: Use-after-free in offscreen child window paint callback

Apr 3, 2026

MEDIUM 5.8

npm

CVE-2026-34772

Electron: Use-after-free in download save dialog callback

Apr 3, 2026

HIGH 8.3

npm

CVE-2026-34780

Electron: Context Isolation bypass via contextBridge VideoFrame transfer

Apr 3, 2026

LOW 3.9

npm

CVE-2026-34768

Electron: Unquoted executable path in app.setLoginItemSettings on Windows

Apr 3, 2026

HIGH 7.7

npm

CVE-2026-34769

Electron: Renderer command-line switch injection via undocumented commandLineSwitches webPreference

Apr 3, 2026

HIGH 7.5

npm

CVE-2026-34771

Electron: Use-after-free in WebContents fullscreen, pointer-lock, and keyboard-lock permission callbacks

Apr 3, 2026

MEDIUM 5.4

npm

CVE-2026-34777

Electron: Incorrect origin passed to permission request handler for iframe requests

Apr 3, 2026

LOW 3.3

npm

CVE-2026-34766

Electron: USB device selection not validated against filtered device list

Apr 3, 2026

MEDIUM 4.7

npm

CVE-2026-34773

Electron: Registry key path injection in app.setAsDefaultProtocolClient on Windows

Apr 3, 2026

HIGH 7.5

npm

CVE-2020-15174

Unpreventable top-level navigation

Oct 6, 2020

MEDIUM 5.4

npm

CVE-2020-26272

IPC messages delivered to the wrong frame in Electron

Jan 28, 2021

MEDIUM 6.8

npm

CVE-2020-15096

Context isolation bypass via Promise in Electron

Jul 7, 2020

MEDIUM 5.6

npm

CVE-2020-15215

Context isolation bypass in Electron

Oct 6, 2020

HIGH 7.8

npm

CVE-2020-4076

Context isolation bypass via leaked cross-context objects in Electron

Jul 7, 2020

MEDIUM 6.8

npm

CVE-2020-4075

Arbitrary file read via window-open IPC in Electron

Jul 7, 2020

MEDIUM 6.8

npm

CVE-2021-39184

Electron's sandboxed renderers can obtain thumbnails of arbitrary files through the nativeImage API

Oct 12, 2021

HIGH 7.7

npm

CVE-2020-4077

Context isolation bypass via contextBridge in Electron

Jul 7, 2020

HIGH 8.8

crates.io KEV

CVE-2023-4863

libwebp: OOB write in BuildHuffmanTable

Sep 12, 2023

MEDIUM 6.1

npm

CVE-2025-55305

Electron has ASAR Integrity Bypass via resource modification

Sep 3, 2025

UNKNOWN

npm

CVE-2024-46993

Electron vulnerable to Heap Buffer Overflow in NativeImage

Jun 30, 2025

HIGH 7.8

npm

CVE-2024-46992

electron ASAR Integrity bypass by just modifying the content

Jun 30, 2025

MEDIUM 6.1

npm

CVE-2023-44402

ASAR Integrity bypass via filetype confusion in electron

Dec 1, 2023

HIGH 8.8

npm KEV

CVE-2023-5217

Electron affected by libvpx's heap buffer overflow in vp8 encoding

Sep 28, 2023

MEDIUM 6.1

npm

CVE-2023-39956

Electron vulnerable to out-of-package code execution when launched with arbitrary cwd

Sep 6, 2023

MEDIUM 6.0

npm

CVE-2023-29198

Electron context isolation bypass via nested unserializable return value

Sep 6, 2023

HIGH 7.5

npm

CVE-2023-23623

Electron's Content-Secrity-Policy disabling eval not applied consistently in renderers with sandbox disabled

Sep 6, 2023

CRITICAL 9.6

npm KEV

CVE-2022-4135

Heap buffer overflow in GPU

Nov 25, 2022

MEDIUM 5.4

npm

CVE-2022-36077

Exfiltration of hashed SMB credentials on Windows via file:// redirect

Nov 10, 2022

MEDIUM 6.6

npm

CVE-2022-29257

AutoUpdater module fails to validate certain nested components of the bundle

Jun 16, 2022

LOW 2.2

npm

CVE-2022-29247

Compromised child renderer processes could obtain IPC access without nodeIntegrationInSubFrames being enabled

Jun 16, 2022

LOW 3.4

npm

CVE-2022-21718

Renderers can obtain access to random bluetooth device without permission in Electron

Mar 22, 2022

HIGH 8.1

npm

CVE-2018-15685

Electron webPreferences vulnerability can be used to perform remote code execution

Aug 23, 2018

HIGH 8.1

npm

CVE-2018-1000136

Electron Vulnerable to Code Execution by Re-Enabling Node.js Integration

Mar 26, 2018

HIGH 8.8

npm

CVE-2018-1000118

Electron protocol handler browser vulnerable to Command Injection

Mar 26, 2018

HIGH 8.8

npm

CVE-2018-1000006

Remote Code Execution in electron

Jan 23, 2018

CRITICAL 9.8

npm

CVE-2017-16151

Chromium Remote Code Execution in electron

Jul 24, 2018

HIGH 8.1

npm

CVE-2017-12581

Electron vulnerable to remote command execution

May 17, 2022

MEDIUM 4.3

npm

CVE-2017-1000424

Electron vulnerable to URL spoofing via PDFium

May 13, 2022

HIGH 7.8

npm

CVE-2016-1202

High severity vulnerability that affects electron

Oct 24, 2017

electron

Vulnerabilities

Electron: Named window.open targets not scoped to the opener's browsing context

Electron: Crash in clipboard.readImage() on malformed clipboard image data

Electron: Use-after-free in offscreen shared texture release() callback

Electron: HTTP Response Header Injection in custom protocol handlers and webRequest

Electron: Use-after-free in PowerMonitor on Windows and macOS

Electron: Out-of-bounds read in second-instance IPC on macOS and Linux

Electron: AppleScript injection in app.moveToApplicationsFolder on macOS

Electron: nodeIntegrationInWorker not correctly scoped in shared renderer processes

Electron: Service worker can spoof executeJavaScript IPC replies

Electron: Use-after-free in offscreen child window paint callback

Electron: Use-after-free in download save dialog callback

Electron: Context Isolation bypass via contextBridge VideoFrame transfer

Electron: Unquoted executable path in app.setLoginItemSettings on Windows

Electron: Renderer command-line switch injection via undocumented commandLineSwitches webPreference

Electron: Use-after-free in WebContents fullscreen, pointer-lock, and keyboard-lock permission callbacks

Electron: Incorrect origin passed to permission request handler for iframe requests

Electron: USB device selection not validated against filtered device list

Electron: Registry key path injection in app.setAsDefaultProtocolClient on Windows

Unpreventable top-level navigation

IPC messages delivered to the wrong frame in Electron

Context isolation bypass via Promise in Electron

Context isolation bypass in Electron

Context isolation bypass via leaked cross-context objects in Electron

Arbitrary file read via window-open IPC in Electron

Electron's sandboxed renderers can obtain thumbnails of arbitrary files through the nativeImage API

Context isolation bypass via contextBridge in Electron

libwebp: OOB write in BuildHuffmanTable

Electron has ASAR Integrity Bypass via resource modification

Electron vulnerable to Heap Buffer Overflow in NativeImage

electron ASAR Integrity bypass by just modifying the content

ASAR Integrity bypass via filetype confusion in electron

Electron affected by libvpx's heap buffer overflow in vp8 encoding

Electron vulnerable to out-of-package code execution when launched with arbitrary cwd

Electron context isolation bypass via nested unserializable return value

Electron's Content-Secrity-Policy disabling eval not applied consistently in renderers with sandbox disabled

Heap buffer overflow in GPU

Exfiltration of hashed SMB credentials on Windows via file:// redirect

AutoUpdater module fails to validate certain nested components of the bundle

Compromised child renderer processes could obtain IPC access without nodeIntegrationInSubFrames being enabled

Renderers can obtain access to random bluetooth device without permission in Electron

Electron webPreferences vulnerability can be used to perform remote code execution

Electron Vulnerable to Code Execution by Re-Enabling Node.js Integration

Electron protocol handler browser vulnerable to Command Injection

Remote Code Execution in electron

Chromium Remote Code Execution in electron

Electron vulnerable to remote command execution

Electron vulnerable to URL spoofing via PDFium

High severity vulnerability that affects electron

Start Securing