Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/1100029?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/1100029?format=api", "purl": "pkg:npm/electron@39.8.2", "type": "npm", "namespace": "", "name": "electron", "version": "39.8.2", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "39.8.5", "latest_non_vulnerable_version": "42.0.0-alpha.5", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/349569?format=api", "vulnerability_id": "VCID-7yvz-624p-m7fe", "summary": "Electron: Use-after-free in offscreen shared texture release() callback", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34764.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34764.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34764", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02673", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.027", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.0268", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02678", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03454", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03435", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.04871", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05044", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05045", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05004", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.04973", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.04819", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.04829", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.0489", "published_at": "2026-04-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34764" }, { "reference_url": "https://github.com/electron/electron", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/electron/electron" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34764", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34764" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455466", "reference_id": "2455466", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455466" }, { "reference_url": "https://github.com/advisories/GHSA-8x5q-pvf5-64mp", "reference_id": "GHSA-8x5q-pvf5-64mp", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8x5q-pvf5-64mp" }, { "reference_url": "https://github.com/electron/electron/security/advisories/GHSA-8x5q-pvf5-64mp", "reference_id": "GHSA-8x5q-pvf5-64mp", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T15:47:38Z/" } ], "url": "https://github.com/electron/electron/security/advisories/GHSA-8x5q-pvf5-64mp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/994331?format=api", "purl": "pkg:npm/electron@39.8.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/electron@39.8.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/994330?format=api", "purl": "pkg:npm/electron@40.8.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/electron@40.8.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/994329?format=api", "purl": "pkg:npm/electron@41.1.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/electron@41.1.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/994333?format=api", "purl": "pkg:npm/electron@42.0.0-alpha.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/electron@42.0.0-alpha.5" } ], "aliases": [ "CVE-2026-34764", "GHSA-8x5q-pvf5-64mp" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7yvz-624p-m7fe" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/349438?format=api", "vulnerability_id": "VCID-cjzy-nxnq-ffdp", "summary": "Electron: nodeIntegrationInWorker not correctly scoped in shared renderer processes\n### Impact\nThe `nodeIntegrationInWorker` webPreference was not correctly scoped in all configurations. In certain process-sharing scenarios, workers spawned in frames configured with `nodeIntegrationInWorker: false` could still receive Node.js integration.\n\nApps are only affected if they enable `nodeIntegrationInWorker`. Apps that do not use `nodeIntegrationInWorker` are not affected.\n\n### Workarounds\nAvoid enabling `nodeIntegrationInWorker` in apps that also open child windows or embed content with differing webPreferences.\n\n### Fixed Versions\n* `41.0.0`\n* `40.8.4`\n* `39.8.4`\n* `38.8.6`\n\n### For more information\nIf there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org)", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34775.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34775.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34775", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0001", "scoring_system": "epss", "scoring_elements": "0.01183", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01716", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01688", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01692", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02059", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02051", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00031", "scoring_system": "epss", "scoring_elements": "0.08851", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00031", "scoring_system": "epss", "scoring_elements": "0.08839", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00031", "scoring_system": "epss", "scoring_elements": "0.08773", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.0959", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.09747", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.09731", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.09618", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.09767", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.0978", "published_at": "2026-04-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34775" }, { "reference_url": "https://github.com/electron/electron", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/electron/electron" }, { "reference_url": "https://github.com/electron/electron/security/advisories/GHSA-xwr5-m59h-vwqr", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-06T15:52:56Z/" } ], "url": "https://github.com/electron/electron/security/advisories/GHSA-xwr5-m59h-vwqr" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34775", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34775" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455023", "reference_id": "2455023", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455023" }, { "reference_url": "https://github.com/advisories/GHSA-xwr5-m59h-vwqr", "reference_id": "GHSA-xwr5-m59h-vwqr", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xwr5-m59h-vwqr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/994082?format=api", "purl": "pkg:npm/electron@39.8.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7yvz-624p-m7fe" }, { "vulnerability": "VCID-rcpz-szwh-h7gk" }, { "vulnerability": "VCID-xrgp-tcyv-qka8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/electron@39.8.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/994083?format=api", "purl": "pkg:npm/electron@40.8.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7yvz-624p-m7fe" }, { "vulnerability": "VCID-rcpz-szwh-h7gk" }, { "vulnerability": "VCID-xrgp-tcyv-qka8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/electron@40.8.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/994084?format=api", "purl": "pkg:npm/electron@41.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7yvz-624p-m7fe" }, { "vulnerability": "VCID-rcpz-szwh-h7gk" }, { "vulnerability": "VCID-t1z9-bmnv-57bm" }, { "vulnerability": "VCID-xrgp-tcyv-qka8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/electron@41.0.0" } ], "aliases": [ "CVE-2026-34775", "GHSA-xwr5-m59h-vwqr" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cjzy-nxnq-ffdp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/350003?format=api", "vulnerability_id": "VCID-rcpz-szwh-h7gk", "summary": "Electron: Named window.open targets not scoped to the opener's browsing context", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34765.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34765.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34765", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06265", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06084", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06105", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06135", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06142", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06164", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.15993", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.15933", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.15971", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.1593", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00057", "scoring_system": "epss", "scoring_elements": "0.17888", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00057", "scoring_system": "epss", "scoring_elements": "0.1784", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00057", "scoring_system": "epss", "scoring_elements": "0.1783", "published_at": "2026-04-16T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34765" }, { "reference_url": "https://github.com/electron/electron", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/electron/electron" }, { "reference_url": "https://github.com/electron/electron/releases/tag/v39.8.5", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/electron/electron/releases/tag/v39.8.5" }, { "reference_url": "https://github.com/electron/electron/releases/tag/v40.8.5", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/electron/electron/releases/tag/v40.8.5" }, { "reference_url": "https://github.com/electron/electron/releases/tag/v41.1.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/electron/electron/releases/tag/v41.1.0" }, { "reference_url": "https://github.com/electron/electron/releases/tag/v42.0.0-alpha.5", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/electron/electron/releases/tag/v42.0.0-alpha.5" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34765", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34765" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456278", "reference_id": "2456278", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456278" }, { "reference_url": "https://github.com/advisories/GHSA-f3pv-wv63-48x8", "reference_id": "GHSA-f3pv-wv63-48x8", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f3pv-wv63-48x8" }, { "reference_url": "https://github.com/electron/electron/security/advisories/GHSA-f3pv-wv63-48x8", "reference_id": "GHSA-f3pv-wv63-48x8", "reference_type": "", "scores": [ { "value": "6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "6.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-09T03:56:10Z/" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-08T14:30:47Z/" } ], "url": "https://github.com/electron/electron/security/advisories/GHSA-f3pv-wv63-48x8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/994331?format=api", "purl": "pkg:npm/electron@39.8.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/electron@39.8.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/994330?format=api", "purl": "pkg:npm/electron@40.8.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/electron@40.8.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/994329?format=api", "purl": "pkg:npm/electron@41.1.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/electron@41.1.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/994333?format=api", "purl": "pkg:npm/electron@42.0.0-alpha.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/electron@42.0.0-alpha.5" } ], "aliases": [ "CVE-2026-34765", "GHSA-f3pv-wv63-48x8" ], "risk_score": 3.2, "exploitability": "0.5", "weighted_severity": "6.4", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rcpz-szwh-h7gk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/349507?format=api", "vulnerability_id": "VCID-t1z9-bmnv-57bm", "summary": "Electron: HTTP Response Header Injection in custom protocol handlers and webRequest\n### Impact\nApps that register custom protocol handlers via `protocol.handle()` / `protocol.registerSchemesAsPrivileged()` or modify response headers via `webRequest.onHeadersReceived` may be vulnerable to HTTP response header injection if attacker-controlled input is reflected into a response header name or value.\n\nAn attacker who can influence a header value may be able to inject additional response headers, affecting cookies, content security policy, or cross-origin access controls.\n\nApps that do not reflect external input into response headers are not affected.\n\n### Workarounds\nValidate or sanitize any untrusted input before including it in a response header name or value.\n\n### Fixed Versions\n* `41.0.3`\n* `40.8.3`\n* `39.8.3`\n* `38.8.6`\n\n### For more information\nIf there are any questions or comments about this advisory, send an email to [security@electronjs.org](mailto:security@electronjs.org)", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34767.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34767.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34767", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01274", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01535", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01281", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01285", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.0128", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01529", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00029", "scoring_system": "epss", "scoring_elements": "0.08164", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00029", "scoring_system": "epss", "scoring_elements": "0.08159", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00029", "scoring_system": "epss", "scoring_elements": "0.08105", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00031", "scoring_system": "epss", "scoring_elements": "0.08944", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09178", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09301", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09288", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.0918", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.0933", "published_at": "2026-04-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34767" }, { "reference_url": "https://github.com/electron/electron", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/electron/electron" }, { "reference_url": "https://github.com/electron/electron/security/advisories/GHSA-4p4r-m79c-wq3v", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-06T19:07:46Z/" } ], "url": "https://github.com/electron/electron/security/advisories/GHSA-4p4r-m79c-wq3v" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34767", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34767" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455000", "reference_id": "2455000", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455000" }, { "reference_url": "https://github.com/advisories/GHSA-4p4r-m79c-wq3v", "reference_id": "GHSA-4p4r-m79c-wq3v", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4p4r-m79c-wq3v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/994113?format=api", "purl": "pkg:npm/electron@39.8.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7yvz-624p-m7fe" }, { "vulnerability": "VCID-cjzy-nxnq-ffdp" }, { "vulnerability": "VCID-rcpz-szwh-h7gk" }, { "vulnerability": "VCID-xrgp-tcyv-qka8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/electron@39.8.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/994114?format=api", "purl": "pkg:npm/electron@40.8.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7yvz-624p-m7fe" }, { "vulnerability": "VCID-cjzy-nxnq-ffdp" }, { "vulnerability": "VCID-rcpz-szwh-h7gk" }, { "vulnerability": "VCID-xrgp-tcyv-qka8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/electron@40.8.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/994115?format=api", "purl": "pkg:npm/electron@41.0.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7yvz-624p-m7fe" }, { "vulnerability": "VCID-rcpz-szwh-h7gk" }, { "vulnerability": "VCID-xrgp-tcyv-qka8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/electron@41.0.3" } ], "aliases": [ "CVE-2026-34767", "GHSA-4p4r-m79c-wq3v" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-t1z9-bmnv-57bm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/350004?format=api", "vulnerability_id": "VCID-xrgp-tcyv-qka8", "summary": "Electron: Crash in clipboard.readImage() on malformed clipboard image data", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34781.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34781.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34781", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02435", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02508", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02503", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02516", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02424", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02433", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02455", "published_at": "2026-04-09T12:55:00Z" }, { "value": "5e-05", "scoring_system": "epss", "scoring_elements": "0.00231", "published_at": "2026-04-29T12:55:00Z" }, { "value": "5e-05", "scoring_system": "epss", "scoring_elements": "0.00233", "published_at": "2026-04-26T12:55:00Z" }, { "value": "5e-05", "scoring_system": "epss", "scoring_elements": "0.00234", "published_at": "2026-05-07T12:55:00Z" }, { "value": "5e-05", "scoring_system": "epss", "scoring_elements": "0.00232", "published_at": "2026-05-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34781" }, { "reference_url": "https://github.com/electron/electron", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/electron/electron" }, { "reference_url": "https://github.com/electron/electron/commit/a48f03fb8d03933547281ddb2dbb6c6b9e705287", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/electron/electron/commit/a48f03fb8d03933547281ddb2dbb6c6b9e705287" }, { "reference_url": "https://github.com/electron/electron/pull/50475", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/electron/electron/pull/50475" }, { "reference_url": "https://github.com/electron/electron/releases/tag/v39.8.5", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/electron/electron/releases/tag/v39.8.5" }, { "reference_url": "https://github.com/electron/electron/releases/tag/v40.8.5", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/electron/electron/releases/tag/v40.8.5" }, { "reference_url": "https://github.com/electron/electron/releases/tag/v41.1.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/electron/electron/releases/tag/v41.1.0" }, { "reference_url": "https://github.com/electron/electron/releases/tag/v42.0.0-alpha.5", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/electron/electron/releases/tag/v42.0.0-alpha.5" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34781", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34781" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456279", "reference_id": "2456279", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456279" }, { "reference_url": "https://github.com/advisories/GHSA-f37v-82c4-4x64", "reference_id": "GHSA-f37v-82c4-4x64", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f37v-82c4-4x64" }, { "reference_url": "https://github.com/electron/electron/security/advisories/GHSA-f37v-82c4-4x64", "reference_id": "GHSA-f37v-82c4-4x64", "reference_type": "", "scores": [ { "value": "2.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-08T16:10:12Z/" } ], "url": "https://github.com/electron/electron/security/advisories/GHSA-f37v-82c4-4x64" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/994331?format=api", "purl": "pkg:npm/electron@39.8.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/electron@39.8.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/994330?format=api", "purl": "pkg:npm/electron@40.8.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/electron@40.8.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/994329?format=api", "purl": "pkg:npm/electron@41.1.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/electron@41.1.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/994333?format=api", "purl": "pkg:npm/electron@42.0.0-alpha.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/electron@42.0.0-alpha.5" } ], "aliases": [ "CVE-2026-34781", "GHSA-f37v-82c4-4x64" ], "risk_score": 2.2, "exploitability": "0.5", "weighted_severity": "4.5", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xrgp-tcyv-qka8" } ], "fixing_vulnerabilities": [], "risk_score": "3.1", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/electron@39.8.2" }