Advisory Database
  • Advisories
  • Dependency Scanning
  1. npm
  2. ›
  3. electron
  4. ›
  5. CVE-2020-26272

CVE-2020-26272: IPC messages delivered to the wrong frame in Electron

January 28, 2021 (updated May 27, 2025)

IPC messages sent from the main process to a subframe in the renderer process, through webContents.sendToFrame, event.reply or when using the remote module, can in some cases be delivered to the wrong frame.

If your app does ANY of the following, then it is impacted by this issue:

  • Uses remote
  • Calls webContents.sendToFrame
  • Calls event.reply in an IPC message handler

References

  • github.com/advisories/GHSA-hvf8-h2qh-37m9
  • github.com/electron/electron/commit/07a1c2a3e5845901f7e2eda9506695be58edc73c
  • github.com/electron/electron/commit/0bbd268eb4caf35604443df5ff196980dd49e208
  • github.com/electron/electron/commit/36c695ce2a7e22c07fe1e30c61c00d20371daee2
  • github.com/electron/electron/commit/429400040ecb16a21d19936658579e65a797e4cc
  • github.com/electron/electron/commit/5c8e7e8b7f485ceafa8b271086d7b87e1de9dedd
  • github.com/electron/electron/pull/26875
  • github.com/electron/electron/releases/tag/v9.4.0
  • github.com/electron/electron/security/advisories/GHSA-hvf8-h2qh-37m9
  • nvd.nist.gov/vuln/detail/CVE-2020-26272
  • www.electronjs.org/releases/stable?version=9

Code Behaviors & Features

Detect and mitigate CVE-2020-26272 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions before 9.4.0, all versions starting from 10.0.0 before 10.2.0, all versions starting from 11.0.0 before 11.1.0

Fixed versions

  • 9.4.0
  • 10.2.0
  • 11.1.0

Solution

Upgrade to versions 10.2.0, 11.1.0, 9.4.0 or above.

Impact 6.5 MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Learn more about CVSS

Weakness

  • CWE-668: Exposure of Resource to Wrong Sphere

Source file

npm/electron/CVE-2020-26272.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Mon, 01 Sep 2025 12:20:00 +0000.