CVE-2020-26272 – electron

Package

Manager: npm
Name: electron
Vulnerable Version: >=10.0.0 <10.2.0 || >=11.0.0 <11.1.0 || >=9.0.0 <9.4.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00965 pctl0.75674

Details

IPC messages delivered to the wrong frame in Electron ### Impact IPC messages sent from the main process to a subframe in the renderer process, through `webContents.sendToFrame`, `event.reply` or when using the `remote` module, can in some cases be delivered to the wrong frame. If your app does ANY of the following, then it is impacted by this issue: - Uses `remote` - Calls `webContents.sendToFrame` - Calls `event.reply` in an IPC message handler ### Patches This has been fixed in the following versions: - 9.4.0 - 10.2.0 - 11.1.0 - 12.0.0-beta.9 ### Workarounds There are no workarounds for this issue. ### For more information If you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org).

Metadata

Created: 2021-01-28T19:11:34Z
Modified: 2025-05-27T15:20:19Z
Source: MANUAL
CWE IDs: ["CWE-668"]
Alternative ID: GHSA-hvf8-h2qh-37m9
Finding: F017
Auto approve: 1