CVE-2026-34778 - NVD | ByteOS Network

NVD Vulnerability Details :

CVE-2026-34778

Analyzed

More Info Official Page

Source-security-advisories@github.com

Published At-04 Apr, 2026 | 00:16

Updated At-20 Apr, 2026 | 14:22

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0, a service worker running in a session could spoof reply messages on the internal IPC channel used by webContents.executeJavaScript() and related methods, causing the main-process promise to resolve with attacker-controlled data. Apps are only affected if they have service workers registered and use the result of webContents.executeJavaScript() (or webFrameMain.executeJavaScript()) in security-sensitive decisions. This issue has been patched in versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0.

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	5.9	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N
Primary	3.1	6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Type: Secondary

Version: 3.1

Base score: 5.9

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N

Type: Primary

Version: 3.1

Base score: 6.5

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CPE Matches

Electron (OpenJS Foundation)

>>electron>>Versions before 38.8.6(exclusive)

cpe:2.3:a:electronjs:electron:*:*:*:*:*:node.js:*:*

Electron (OpenJS Foundation)

>>electron>>Versions from 39.0.0(inclusive) to 39.8.1(exclusive)

cpe:2.3:a:electronjs:electron:*:*:*:*:*:node.js:*:*

Electron (OpenJS Foundation)

>>electron>>Versions from 40.0.0(inclusive) to 40.8.1(exclusive)

cpe:2.3:a:electronjs:electron:*:*:*:*:*:node.js:*:*

Electron (OpenJS Foundation)

>>electron>>41.0.0

cpe:2.3:a:electronjs:electron:41.0.0:alpha1:*:*:*:node.js:*:*

Electron (OpenJS Foundation)

>>electron>>41.0.0

cpe:2.3:a:electronjs:electron:41.0.0:alpha2:*:*:*:node.js:*:*

Electron (OpenJS Foundation)

>>electron>>41.0.0

cpe:2.3:a:electronjs:electron:41.0.0:alpha3:*:*:*:node.js:*:*

Electron (OpenJS Foundation)

>>electron>>41.0.0

cpe:2.3:a:electronjs:electron:41.0.0:alpha4:*:*:*:node.js:*:*

Electron (OpenJS Foundation)

>>electron>>41.0.0

cpe:2.3:a:electronjs:electron:41.0.0:alpha5:*:*:*:node.js:*:*

Electron (OpenJS Foundation)

>>electron>>41.0.0

cpe:2.3:a:electronjs:electron:41.0.0:alpha6:*:*:*:node.js:*:*

Electron (OpenJS Foundation)

>>electron>>41.0.0

cpe:2.3:a:electronjs:electron:41.0.0:beta1:*:*:*:node.js:*:*

Electron (OpenJS Foundation)

>>electron>>41.0.0

cpe:2.3:a:electronjs:electron:41.0.0:beta2:*:*:*:node.js:*:*

Electron (OpenJS Foundation)

>>electron>>41.0.0

cpe:2.3:a:electronjs:electron:41.0.0:beta3:*:*:*:node.js:*:*

Electron (OpenJS Foundation)

>>electron>>41.0.0

cpe:2.3:a:electronjs:electron:41.0.0:beta4:*:*:*:node.js:*:*

Electron (OpenJS Foundation)

>>electron>>41.0.0

cpe:2.3:a:electronjs:electron:41.0.0:beta5:*:*:*:node.js:*:*

Electron (OpenJS Foundation)

>>electron>>41.0.0

cpe:2.3:a:electronjs:electron:41.0.0:beta6:*:*:*:node.js:*:*

Electron (OpenJS Foundation)

>>electron>>41.0.0

cpe:2.3:a:electronjs:electron:41.0.0:beta7:*:*:*:node.js:*:*

Electron (OpenJS Foundation)

>>electron>>41.0.0

cpe:2.3:a:electronjs:electron:41.0.0:beta8:*:*:*:node.js:*:*

Weaknesses

CWE ID	Type	Source
CWE-290	Primary	security-advisories@github.com
CWE-345	Primary	security-advisories@github.com

CWE ID: CWE-290

Type: Primary

Source: security-advisories@github.com

CWE ID: CWE-345

Type: Primary

Source: security-advisories@github.com

References

Hyperlink	Source	Resource
https://github.com/electron/electron/security/advisories/GHSA-xj5x-m3f3-5x3h	security-advisories@github.com	Vendor Advisory

Hyperlink: https://github.com/electron/electron/security/advisories/GHSA-xj5x-m3f3-5x3h

Source: security-advisories@github.com

Resource:

Vendor Advisory