Home

Description

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0, a service worker running in a session could spoof reply messages on the internal IPC channel used by webContents.executeJavaScript() and related methods, causing the main-process promise to resolve with attacker-controlled data. Apps are only affected if they have service workers registered and use the result of webContents.executeJavaScript() (or webFrameMain.executeJavaScript()) in security-sensitive decisions. This issue has been patched in versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0.

PUBLISHED Reserved 2026-03-30 | Published 2026-04-03 | Updated 2026-04-06 | Assigner GitHub_M




MEDIUM: 5.9CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N

Problem types

CWE-290: Authentication Bypass by Spoofing

CWE-345: Insufficient Verification of Data Authenticity

Product status

< 38.8.6
affected

>= 39.0.0-alpha.1, < 39.8.1
affected

>= 40.0.0-alpha.1, < 40.8.1
affected

>= 41.0.0-alpha.1, < 41.0.0
affected

References

github.com/...ectron/security/advisories/GHSA-xj5x-m3f3-5x3h

cve.org (CVE-2026-34778)

nvd.nist.gov (CVE-2026-34778)

Download JSON