Frank Davidson

**Name of the Vulnerable Software and Affected Versions** Electrum versions prior to 4.2.2 **Description** The issue allows a file:// URL in the `r` parameter of a payment request, which can be exploited in various ways depending on the operating system. On Windows, this can lead to the capture of credentials over SMB. On Linux and UNIX, it can cause a denial of service by specifying the /dev/zero filename, potentially disrupting system operations. **Recommendations** For Electrum versions prior to 4.2.2, update to version 4.2.2 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `r` parameter in payment requests to prevent potential exploitation.