Optergy Proton/Enterprise devices allow Remote Root Code Execution via a Backdoor Console.

ProtonVPN before 3.2.10 on Windows mishandles the drive installer path, which should use this: '"' + ExpandConstant('{autopf}\Proton\Drive') + '"' in Setup/setup.iss.

Proton v0.2.0 allows an attacker to create a malicious link inside a markdown file. When the victim clicks the link, the application opens the site in the current frame allowing an attacker to host JavaScript code in the malicious link in order to trigger an XSS attack. The 'nodeIntegration' configuration is set to on which allows the 'webpage' to use 'NodeJs' features, an attacker can leverage this to run OS commands.

ProtonMail Web Client is the official AngularJS web client for the ProtonMail secure email service. ProtonMail Web Client before version 3.16.60 has a regular expression denial-of-service vulnerability. This was fixed in commit 6687fb. There is a full report available in the referenced GHSL-2021-027.

Optergy Proton/Enterprise devices allow Cross-Site Request Forgery (CSRF).

Optergy Proton/Enterprise devices allow Username Disclosure.

Optergy Proton/Enterprise devices allow Authenticated File Upload with Code Execution as root.

Optergy Proton/Enterprise devices allow Open Redirect.

Optergy Proton/Enterprise devices allow Unauthenticated Internal Network Information Disclosure.

Optergy Proton/Enterprise devices have an Unauthenticated SMS Sending Service.