A critical remote code execution vulnerability has been discovered in the popular Electron web application framework. Trustwave researcher Brendan Scarvell has released proof-of-concept (PoC) code that attackers can inject into targeted applications running without “webviewTag” declared, by exploiting a cross-site scripting flaw. The vulnerability, tracked as CVE-2018-1000136, was reported to the Electron team by Scarvell earlier this year and affected all versions of Electron at the time of discovery. It should be noted that the exploit would not work if the developer has also opted for one of the following options:
Source: https://thehackernews.com/2018/05/electron-node-integration.html