Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/994084?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/994084?format=api", "purl": "pkg:npm/electron@41.0.0", "type": "npm", "namespace": "", "name": "electron", "version": "41.0.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "41.1.0", "latest_non_vulnerable_version": "42.0.0-alpha.5", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/349569?format=api", "vulnerability_id": "VCID-7yvz-624p-m7fe", "summary": "Electron: Use-after-free in offscreen shared texture release() callback", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34764.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34764.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34764", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02673", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.027", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.0268", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02678", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03435", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.0489", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05044", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05045", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05004", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.04973", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.04829", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.04871", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.04819", "published_at": "2026-04-16T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34764" }, { "reference_url": "https://github.com/electron/electron", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/electron/electron" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34764", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34764" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455466", "reference_id": "2455466", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455466" }, { "reference_url": "https://github.com/advisories/GHSA-8x5q-pvf5-64mp", "reference_id": "GHSA-8x5q-pvf5-64mp", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8x5q-pvf5-64mp" }, { "reference_url": "https://github.com/electron/electron/security/advisories/GHSA-8x5q-pvf5-64mp", "reference_id": "GHSA-8x5q-pvf5-64mp", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T15:47:38Z/" } ], "url": "https://github.com/electron/electron/security/advisories/GHSA-8x5q-pvf5-64mp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/994329?format=api", "purl": "pkg:npm/electron@41.1.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/electron@41.1.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/994333?format=api", "purl": "pkg:npm/electron@42.0.0-alpha.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/electron@42.0.0-alpha.5" } ], "aliases": [ "CVE-2026-34764", "GHSA-8x5q-pvf5-64mp" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7yvz-624p-m7fe" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/349507?format=api", "vulnerability_id": "VCID-t1z9-bmnv-57bm", "summary": "Electron: HTTP Response Header Injection in custom protocol handlers and webRequest\n### Impact\nApps that register custom protocol handlers via `protocol.handle()` / `protocol.registerSchemesAsPrivileged()` or modify response headers via `webRequest.onHeadersReceived` may be vulnerable to HTTP response header injection if attacker-controlled input is reflected into a response header name or value.\n\nAn attacker who can influence a header value may be able to inject additional response headers, affecting cookies, content security policy, or cross-origin access controls.\n\nApps that do not reflect external input into response headers are not affected.\n\n### Workarounds\nValidate or sanitize any untrusted input before including it in a response header name or value.\n\n### Fixed Versions\n* `41.0.3`\n* `40.8.3`\n* `39.8.3`\n* `38.8.6`\n\n### For more information\nIf there are any questions or comments about this advisory, send an email to [security@electronjs.org](mailto:security@electronjs.org)", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34767.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34767.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34767", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01535", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01281", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01285", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.0128", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01274", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00029", "scoring_system": "epss", "scoring_elements": "0.08164", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00029", "scoring_system": "epss", "scoring_elements": "0.08159", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00029", "scoring_system": "epss", "scoring_elements": "0.08105", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00031", "scoring_system": "epss", "scoring_elements": "0.08944", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09178", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09288", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.0918", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09301", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.0933", "published_at": "2026-04-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34767" }, { "reference_url": "https://github.com/electron/electron", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/electron/electron" }, { "reference_url": "https://github.com/electron/electron/security/advisories/GHSA-4p4r-m79c-wq3v", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-06T19:07:46Z/" } ], "url": "https://github.com/electron/electron/security/advisories/GHSA-4p4r-m79c-wq3v" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34767", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34767" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455000", "reference_id": "2455000", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455000" }, { "reference_url": "https://github.com/advisories/GHSA-4p4r-m79c-wq3v", "reference_id": "GHSA-4p4r-m79c-wq3v", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4p4r-m79c-wq3v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/994115?format=api", "purl": "pkg:npm/electron@41.0.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7yvz-624p-m7fe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/electron@41.0.3" } ], "aliases": [ "CVE-2026-34767", "GHSA-4p4r-m79c-wq3v" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-t1z9-bmnv-57bm" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/349456?format=api", "vulnerability_id": "VCID-2uv6-6zfm-x7c6", "summary": "Electron: Registry key path injection in app.setAsDefaultProtocolClient on Windows\n### Impact\nOn Windows, `app.setAsDefaultProtocolClient(protocol)` did not validate the protocol name before writing to the registry. Apps that pass untrusted input as the protocol name may allow an attacker to write to arbitrary subkeys under `HKCU\\Software\\Classes\\`, potentially hijacking existing protocol handlers.\n\nApps are only affected if they call `app.setAsDefaultProtocolClient()` with a protocol name derived from external or untrusted input. Apps that use a hardcoded protocol name are not affected.\n\n### Workarounds\nValidate the protocol name matches `/^[a-zA-Z][a-zA-Z0-9+.-]*$/` before passing it to `app.setAsDefaultProtocolClient()`.\n\n### Fixed Versions\n* `41.0.0`\n* `40.8.1`\n* `39.8.1`\n* `38.8.6`\n\n### For more information\nIf there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org)", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34773.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34773.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34773", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.0158", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05499", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05457", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05501", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.06326", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.07869", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.07912", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.07927", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00031", "scoring_system": "epss", "scoring_elements": "0.08958", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00031", "scoring_system": "epss", "scoring_elements": "0.08971", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00031", "scoring_system": "epss", "scoring_elements": "0.08849", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00031", "scoring_system": "epss", "scoring_elements": "0.08824", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00031", "scoring_system": "epss", "scoring_elements": "0.09008", "published_at": "2026-04-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34773" }, { "reference_url": "https://github.com/electron/electron", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/electron/electron" }, { "reference_url": "https://github.com/electron/electron/security/advisories/GHSA-mwmh-mq4g-g6gr", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-06T16:03:47Z/" } ], "url": "https://github.com/electron/electron/security/advisories/GHSA-mwmh-mq4g-g6gr" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34773", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34773" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455025", "reference_id": "2455025", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455025" }, { "reference_url": "https://github.com/advisories/GHSA-mwmh-mq4g-g6gr", "reference_id": "GHSA-mwmh-mq4g-g6gr", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mwmh-mq4g-g6gr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/994081?format=api", "purl": "pkg:npm/electron@38.8.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7yvz-624p-m7fe" }, { "vulnerability": "VCID-ttvv-eca2-sfhu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/electron@38.8.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/994086?format=api", "purl": "pkg:npm/electron@39.8.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7yvz-624p-m7fe" }, { "vulnerability": "VCID-cjzy-nxnq-ffdp" }, { "vulnerability": "VCID-t1z9-bmnv-57bm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/electron@39.8.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/994087?format=api", "purl": "pkg:npm/electron@40.8.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7yvz-624p-m7fe" }, { "vulnerability": "VCID-cjzy-nxnq-ffdp" }, { "vulnerability": "VCID-t1z9-bmnv-57bm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/electron@40.8.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/994084?format=api", "purl": "pkg:npm/electron@41.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7yvz-624p-m7fe" }, { "vulnerability": "VCID-t1z9-bmnv-57bm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/electron@41.0.0" } ], "aliases": [ "CVE-2026-34773", "GHSA-mwmh-mq4g-g6gr" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2uv6-6zfm-x7c6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/349438?format=api", "vulnerability_id": "VCID-cjzy-nxnq-ffdp", "summary": "Electron: nodeIntegrationInWorker not correctly scoped in shared renderer processes\n### Impact\nThe `nodeIntegrationInWorker` webPreference was not correctly scoped in all configurations. In certain process-sharing scenarios, workers spawned in frames configured with `nodeIntegrationInWorker: false` could still receive Node.js integration.\n\nApps are only affected if they enable `nodeIntegrationInWorker`. Apps that do not use `nodeIntegrationInWorker` are not affected.\n\n### Workarounds\nAvoid enabling `nodeIntegrationInWorker` in apps that also open child windows or embed content with differing webPreferences.\n\n### Fixed Versions\n* `41.0.0`\n* `40.8.4`\n* `39.8.4`\n* `38.8.6`\n\n### For more information\nIf there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org)", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34775.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34775.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34775", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0001", "scoring_system": "epss", "scoring_elements": "0.01183", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01716", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01688", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01692", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02059", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.00031", "scoring_system": "epss", "scoring_elements": "0.08851", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00031", "scoring_system": "epss", "scoring_elements": "0.08839", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00031", "scoring_system": "epss", "scoring_elements": "0.08773", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.09618", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.09747", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.0959", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.09731", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.09767", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.0978", "published_at": "2026-04-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34775" }, { "reference_url": "https://github.com/electron/electron", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/electron/electron" }, { "reference_url": "https://github.com/electron/electron/security/advisories/GHSA-xwr5-m59h-vwqr", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-06T15:52:56Z/" } ], "url": "https://github.com/electron/electron/security/advisories/GHSA-xwr5-m59h-vwqr" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34775", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34775" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455023", "reference_id": "2455023", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455023" }, { "reference_url": "https://github.com/advisories/GHSA-xwr5-m59h-vwqr", "reference_id": "GHSA-xwr5-m59h-vwqr", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xwr5-m59h-vwqr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/994081?format=api", "purl": "pkg:npm/electron@38.8.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7yvz-624p-m7fe" }, { "vulnerability": "VCID-ttvv-eca2-sfhu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/electron@38.8.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/994082?format=api", "purl": "pkg:npm/electron@39.8.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7yvz-624p-m7fe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/electron@39.8.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/994083?format=api", "purl": "pkg:npm/electron@40.8.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7yvz-624p-m7fe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/electron@40.8.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/994084?format=api", "purl": "pkg:npm/electron@41.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7yvz-624p-m7fe" }, { "vulnerability": "VCID-t1z9-bmnv-57bm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/electron@41.0.0" } ], "aliases": [ "CVE-2026-34775", "GHSA-xwr5-m59h-vwqr" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cjzy-nxnq-ffdp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/349505?format=api", "vulnerability_id": "VCID-gxk8-9wc6-wkhs", "summary": "Electron: Service worker can spoof executeJavaScript IPC replies\n### Impact\nA service worker running in a session could spoof reply messages on the internal IPC channel used by `webContents.executeJavaScript()` and related methods, causing the main-process promise to resolve with attacker-controlled data.\n\nApps are only affected if they have service workers registered and use the result of `webContents.executeJavaScript()` (or `webFrameMain.executeJavaScript()`) in security-sensitive decisions.\n\n### Workarounds\nDo not trust the return value of `webContents.executeJavaScript()` for security decisions. Use dedicated, validated IPC channels for security-relevant communication with renderers.\n\n### Fixed Versions\n* `41.0.0`\n* `40.8.1`\n* `39.8.1`\n* `38.8.6`\n\n### For more information\nIf there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org)", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34778.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34778.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34778", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02427", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02428", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02431", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03226", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03253", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03295", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03189", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03178", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03205", "published_at": "2026-04-13T12:55:00Z" }, { "value": "6e-05", "scoring_system": "epss", "scoring_elements": "0.00434", "published_at": "2026-05-05T12:55:00Z" }, { "value": "6e-05", "scoring_system": "epss", "scoring_elements": "0.00312", "published_at": "2026-04-21T12:55:00Z" }, { "value": "6e-05", "scoring_system": "epss", "scoring_elements": "0.00313", "published_at": "2026-04-24T12:55:00Z" }, { "value": "6e-05", "scoring_system": "epss", "scoring_elements": "0.00311", "published_at": "2026-04-26T12:55:00Z" }, { "value": "6e-05", "scoring_system": "epss", "scoring_elements": "0.00307", "published_at": "2026-04-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34778" }, { "reference_url": "https://github.com/electron/electron", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/electron/electron" }, { "reference_url": "https://github.com/electron/electron/security/advisories/GHSA-xj5x-m3f3-5x3h", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-06T15:50:39Z/" } ], "url": "https://github.com/electron/electron/security/advisories/GHSA-xj5x-m3f3-5x3h" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34778", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34778" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455024", "reference_id": "2455024", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455024" }, { "reference_url": "https://github.com/advisories/GHSA-xj5x-m3f3-5x3h", "reference_id": "GHSA-xj5x-m3f3-5x3h", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xj5x-m3f3-5x3h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/994081?format=api", "purl": "pkg:npm/electron@38.8.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7yvz-624p-m7fe" }, { "vulnerability": "VCID-ttvv-eca2-sfhu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/electron@38.8.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/994086?format=api", "purl": "pkg:npm/electron@39.8.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7yvz-624p-m7fe" }, { "vulnerability": "VCID-cjzy-nxnq-ffdp" }, { "vulnerability": "VCID-t1z9-bmnv-57bm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/electron@39.8.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/994087?format=api", "purl": "pkg:npm/electron@40.8.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7yvz-624p-m7fe" }, { "vulnerability": "VCID-cjzy-nxnq-ffdp" }, { "vulnerability": "VCID-t1z9-bmnv-57bm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/electron@40.8.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/994084?format=api", "purl": "pkg:npm/electron@41.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7yvz-624p-m7fe" }, { "vulnerability": "VCID-t1z9-bmnv-57bm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/electron@41.0.0" } ], "aliases": [ "CVE-2026-34778", "GHSA-xj5x-m3f3-5x3h" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gxk8-9wc6-wkhs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/349510?format=api", "vulnerability_id": "VCID-k7gj-cczw-wfeb", "summary": "Electron: Incorrect origin passed to permission request handler for iframe requests\n### Impact\nWhen an iframe requests `fullscreen`, `pointerLock`, `keyboardLock`, `openExternal`, or `media` permissions, the origin passed to `session.setPermissionRequestHandler()` was the top-level page's origin rather than the requesting iframe's origin. Apps that grant permissions based on the origin parameter or `webContents.getURL()` may inadvertently grant permissions to embedded third-party content.\n\nThe correct requesting URL remains available via `details.requestingUrl`. Apps that already check `details.requestingUrl` are not affected.\n\n### Workarounds\nIn your `setPermissionRequestHandler`, inspect `details.requestingUrl` rather than the origin parameter or `webContents.getURL()` when deciding whether to grant `fullscreen`, `pointerLock`, `keyboardLock`, `openExternal`, or `media` permissions.\n\n### Fixed Versions\n* `41.0.0`\n* `40.8.1`\n* `39.8.1`\n* `38.8.6`\n\n### For more information\nIf there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org)", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34777.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34777.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34777", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02646", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02653", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02651", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03224", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03209", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03199", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03315", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03273", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03245", "published_at": "2026-04-12T12:55:00Z" }, { "value": "5e-05", "scoring_system": "epss", "scoring_elements": "0.00289", "published_at": "2026-04-29T12:55:00Z" }, { "value": "5e-05", "scoring_system": "epss", "scoring_elements": "0.00294", "published_at": "2026-04-26T12:55:00Z" }, { "value": "5e-05", "scoring_system": "epss", "scoring_elements": "0.00296", "published_at": "2026-04-24T12:55:00Z" }, { "value": "6e-05", "scoring_system": "epss", "scoring_elements": "0.0036", "published_at": "2026-05-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34777" }, { "reference_url": "https://github.com/electron/electron", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/electron/electron" }, { "reference_url": "https://github.com/electron/electron/security/advisories/GHSA-r5p7-gp4j-qhrx", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-06T15:32:48Z/" } ], "url": "https://github.com/electron/electron/security/advisories/GHSA-r5p7-gp4j-qhrx" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34777", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34777" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455022", "reference_id": "2455022", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455022" }, { "reference_url": "https://github.com/advisories/GHSA-r5p7-gp4j-qhrx", "reference_id": "GHSA-r5p7-gp4j-qhrx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r5p7-gp4j-qhrx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/994081?format=api", "purl": "pkg:npm/electron@38.8.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7yvz-624p-m7fe" }, { "vulnerability": "VCID-ttvv-eca2-sfhu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/electron@38.8.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/994086?format=api", "purl": "pkg:npm/electron@39.8.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7yvz-624p-m7fe" }, { "vulnerability": "VCID-cjzy-nxnq-ffdp" }, { "vulnerability": "VCID-t1z9-bmnv-57bm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/electron@39.8.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/994087?format=api", "purl": "pkg:npm/electron@40.8.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7yvz-624p-m7fe" }, { "vulnerability": "VCID-cjzy-nxnq-ffdp" }, { "vulnerability": "VCID-t1z9-bmnv-57bm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/electron@40.8.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/994084?format=api", "purl": "pkg:npm/electron@41.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7yvz-624p-m7fe" }, { "vulnerability": "VCID-t1z9-bmnv-57bm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/electron@41.0.0" } ], "aliases": [ "CVE-2026-34777", "GHSA-r5p7-gp4j-qhrx" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-k7gj-cczw-wfeb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/349496?format=api", "vulnerability_id": "VCID-ttvv-eca2-sfhu", "summary": "Electron: Use-after-free in offscreen child window paint callback\n### Impact\nApps that use offscreen rendering and allow child windows via `window.open()` may be vulnerable to a use-after-free. If the parent offscreen `WebContents` is destroyed while a child window remains open, subsequent paint frames on the child dereference freed memory, which may lead to a crash or memory corruption.\n\nApps are only affected if they use offscreen rendering (`webPreferences.offscreen: true`) and their `setWindowOpenHandler` permits child windows. Apps that do not use offscreen rendering, or that deny child windows, are not affected.\n\n### Workarounds\nDeny child window creation from offscreen renderers in your `setWindowOpenHandler`, or ensure child windows are closed before the parent is destroyed.\n\n### Fixed Versions\n* `41.0.0`\n* `40.7.0`\n* `39.8.1`\n\n### For more information\nIf there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org)", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34774.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34774.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34774", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.04115", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04664", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04638", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04604", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05329", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13074", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13196", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.12993", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.1754", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.17645", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.17549", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.17595", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.17673", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.17691", "published_at": "2026-04-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34774" }, { "reference_url": "https://github.com/electron/electron", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/electron/electron" }, { "reference_url": "https://github.com/electron/electron/security/advisories/GHSA-532v-xpq5-8h95", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-06T15:28:41Z/" } ], "url": "https://github.com/electron/electron/security/advisories/GHSA-532v-xpq5-8h95" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34774", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34774" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455026", "reference_id": "2455026", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455026" }, { "reference_url": "https://github.com/advisories/GHSA-532v-xpq5-8h95", "reference_id": "GHSA-532v-xpq5-8h95", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-532v-xpq5-8h95" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/994086?format=api", "purl": "pkg:npm/electron@39.8.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7yvz-624p-m7fe" }, { "vulnerability": "VCID-cjzy-nxnq-ffdp" }, { "vulnerability": "VCID-t1z9-bmnv-57bm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/electron@39.8.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/994095?format=api", "purl": "pkg:npm/electron@40.7.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2uv6-6zfm-x7c6" }, { "vulnerability": "VCID-7yvz-624p-m7fe" }, { "vulnerability": "VCID-cjzy-nxnq-ffdp" }, { "vulnerability": "VCID-gxk8-9wc6-wkhs" }, { "vulnerability": "VCID-hynm-7wty-ruhq" }, { "vulnerability": "VCID-k7gj-cczw-wfeb" }, { "vulnerability": "VCID-ktbs-t8kb-5kch" }, { "vulnerability": "VCID-t1z9-bmnv-57bm" }, { "vulnerability": "VCID-uwqv-4aqn-87fd" }, { "vulnerability": "VCID-vda9-xbsz-d7fm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/electron@40.7.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/994084?format=api", "purl": "pkg:npm/electron@41.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7yvz-624p-m7fe" }, { "vulnerability": "VCID-t1z9-bmnv-57bm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/electron@41.0.0" } ], "aliases": [ "CVE-2026-34774", "GHSA-532v-xpq5-8h95" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ttvv-eca2-sfhu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/349442?format=api", "vulnerability_id": "VCID-vda9-xbsz-d7fm", "summary": "Electron: Out-of-bounds read in second-instance IPC on macOS and Linux\n### Impact\nOn macOS and Linux, apps that call `app.requestSingleInstanceLock()` were vulnerable to an out-of-bounds heap read when parsing a crafted second-instance message. Leaked memory could be delivered to the app's `second-instance` event handler.\n\nThis issue is limited to processes running as the same user as the Electron app.\n\nApps that do not call `app.requestSingleInstanceLock()` are not affected. Windows is not affected by this issue.\n\n### Workarounds\nThere are no app side workarounds, developers must update to a patched version of Electron.\n\n### Fixed Versions\n* `41.0.0`\n* `40.8.1`\n* `39.8.1`\n* `38.8.6`\n\n### For more information\nIf there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org)", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34776.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34776.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34776", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0001", "scoring_system": "epss", "scoring_elements": "0.0121", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01662", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02182", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02179", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02178", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.02866", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.0285", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.02917", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.02889", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.02871", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.0286", "published_at": "2026-04-18T12:55:00Z" }, { "value": "6e-05", "scoring_system": "epss", "scoring_elements": "0.00401", "published_at": "2026-04-24T12:55:00Z" }, { "value": "6e-05", "scoring_system": "epss", "scoring_elements": "0.00402", "published_at": "2026-04-26T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34776" }, { "reference_url": "https://github.com/electron/electron", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/electron/electron" }, { "reference_url": "https://github.com/electron/electron/security/advisories/GHSA-3c8v-cfp5-9885", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-06T15:31:24Z/" } ], "url": "https://github.com/electron/electron/security/advisories/GHSA-3c8v-cfp5-9885" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34776", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34776" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455021", "reference_id": "2455021", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455021" }, { "reference_url": "https://github.com/advisories/GHSA-3c8v-cfp5-9885", "reference_id": "GHSA-3c8v-cfp5-9885", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3c8v-cfp5-9885" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/994081?format=api", "purl": "pkg:npm/electron@38.8.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7yvz-624p-m7fe" }, { "vulnerability": "VCID-ttvv-eca2-sfhu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/electron@38.8.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/994086?format=api", "purl": "pkg:npm/electron@39.8.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7yvz-624p-m7fe" }, { "vulnerability": "VCID-cjzy-nxnq-ffdp" }, { "vulnerability": "VCID-t1z9-bmnv-57bm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/electron@39.8.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/994087?format=api", "purl": "pkg:npm/electron@40.8.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7yvz-624p-m7fe" }, { "vulnerability": "VCID-cjzy-nxnq-ffdp" }, { "vulnerability": "VCID-t1z9-bmnv-57bm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/electron@40.8.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/994084?format=api", "purl": "pkg:npm/electron@41.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7yvz-624p-m7fe" }, { "vulnerability": "VCID-t1z9-bmnv-57bm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/electron@41.0.0" } ], "aliases": [ "CVE-2026-34776", "GHSA-3c8v-cfp5-9885" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vda9-xbsz-d7fm" } ], "risk_score": "3.1", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/electron@41.0.0" }