Search for packages
| purl | pkg:npm/electron@29.4.5 |
| Next non-vulnerable version | 39.8.5 |
| Latest non-vulnerable version | 42.0.0-alpha.5 |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2kk5-3p41-kycs
Aliases: CVE-2026-34773 GHSA-mwmh-mq4g-g6gr |
electron: Electron: Protocol handler hijacking via improper validation of protocol names |
Affected by 4 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-3wxh-7cvs-g3et
Aliases: CVE-2026-34769 GHSA-9wfr-w7mm-pc7f |
Electron: Electron: Arbitrary code execution and security bypass via undocumented command-line switches |
Affected by 4 other vulnerabilities. Affected by 13 other vulnerabilities. Affected by 12 other vulnerabilities. Affected by 10 other vulnerabilities. |
|
VCID-4u89-87dg-zqdt
Aliases: CVE-2026-34776 GHSA-3c8v-cfp5-9885 |
Electron: Electron: Information disclosure via crafted second-instance message |
Affected by 4 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-5cmc-cnnq-xyhw
Aliases: CVE-2026-34781 GHSA-f37v-82c4-4x64 |
Electron: Electron: Denial of Service via malformed clipboard image data |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-5w4g-q3st-m7hf
Aliases: CVE-2026-34774 GHSA-532v-xpq5-8h95 |
Electron: Electron: Memory corruption and crash due to use-after-free in offscreen rendering |
Affected by 5 other vulnerabilities. Affected by 12 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-6vad-u5vg-dba5
Aliases: CVE-2026-34766 GHSA-9899-m83m-qhpj |
Electron: Electron: Unauthorized USB device access via select-usb-device event callback validation bypass |
Affected by 4 other vulnerabilities. Affected by 13 other vulnerabilities. Affected by 12 other vulnerabilities. Affected by 10 other vulnerabilities. |
|
VCID-7c28-bmu2-qbcs
Aliases: CVE-2025-55305 GHSA-vmqv-hx8q-j7mg |
Electron has ASAR Integrity Bypass via resource modification This only impacts apps that have the `embeddedAsarIntegrityValidation` and `onlyLoadAppFromAsar` [fuses](https://www.electronjs.org/docs/latest/tutorial/fuses) enabled. Apps without these fuses enabled are not impacted. Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the `resources` folder in your app installation on Windows which these fuses are supposed to protect against. |
Affected by 17 other vulnerabilities. Affected by 17 other vulnerabilities. Affected by 17 other vulnerabilities. Affected by 17 other vulnerabilities. |
|
VCID-df1y-n1s8-x3g4
Aliases: CVE-2026-34772 GHSA-9w97-2464-8783 |
Electron: Electron: Use-after-free vulnerability leads to memory corruption or crash |
Affected by 4 other vulnerabilities. Affected by 13 other vulnerabilities. Affected by 12 other vulnerabilities. Affected by 17 other vulnerabilities. |
|
VCID-egxx-avtf-ekah
Aliases: CVE-2026-34777 GHSA-r5p7-gp4j-qhrx |
Electron: Electron: Unauthorized permission granting and information disclosure via incorrect iframe origin |
Affected by 4 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-j8e6-q6j5-tyf8
Aliases: CVE-2026-34767 GHSA-4p4r-m79c-wq3v |
electron: Electron: HTTP Response Header Injection via attacker-controlled input |
Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-p1m4-3gu6-zffw
Aliases: CVE-2026-34778 GHSA-xj5x-m3f3-5x3h |
Electron: Electron: Integrity issue due to IPC channel spoofing by a service worker |
Affected by 4 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-pjqf-nps2-7yhc
Aliases: CVE-2026-34768 GHSA-jfqx-fxh3-c62j |
electron: Electron: Arbitrary code execution via unquoted path in Run registry key |
Affected by 4 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 10 other vulnerabilities. |
|
VCID-qs5f-9ftk-fben
Aliases: CVE-2026-34765 GHSA-f3pv-wv63-48x8 |
electron: Electron: Arbitrary code execution or information disclosure via incorrect window handling |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-t1uc-59dn-j3gd
Aliases: CVE-2026-34770 GHSA-jjp3-mq3x-295m |
Electron: Use-after-free in PowerMonitor on Windows and macOS ### Impact Apps that use the `powerMonitor` module may be vulnerable to a use-after-free. After the native `PowerMonitor` object is garbage-collected, the associated OS-level resources (a message window on Windows, a shutdown handler on macOS) retain dangling references. A subsequent session-change event (Windows) or system shutdown (macOS) dereferences freed memory, which may lead to a crash or memory corruption. All apps that access `powerMonitor` events (`suspend`, `resume`, `lock-screen`, etc.) are potentially affected. The issue is not directly renderer-controllable. ### Workarounds There are no app side workarounds, you must update to a patched version of Electron. ### Fixed Versions * `41.0.0-beta.8` * `40.8.0` * `39.8.1` * `38.8.6` ### For more information If there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org) |
Affected by 4 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 10 other vulnerabilities. |
|
VCID-wfx6-9nh3-quar
Aliases: CVE-2026-34779 GHSA-5rqw-r77c-jp79 |
Electron: AppleScript injection in app.moveToApplicationsFolder on macOS ### Impact On macOS, `app.moveToApplicationsFolder()` used an AppleScript fallback path that did not properly handle certain characters in the application bundle path. Under specific conditions, a crafted launch path could lead to arbitrary AppleScript execution when the user accepted the move-to-Applications prompt. Apps are only affected if they call `app.moveToApplicationsFolder()`. Apps that do not use this API are not affected. ### Workarounds There are no app side workarounds, developers must update to a patched version of Electron. ### Fixed Versions * `41.0.0-beta.8` * `40.8.0` * `39.8.1` * `38.8.6` ### For more information If there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org) |
Affected by 4 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 10 other vulnerabilities. |
|
VCID-x7he-eg8d-g7hj
Aliases: CVE-2026-34775 GHSA-xwr5-m59h-vwqr |
Electron: Electron: Arbitrary code execution and information disclosure due to incorrect Node.js integration scoping |
Affected by 4 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-zzcf-uus6-rqa8
Aliases: CVE-2026-34771 GHSA-8337-3p73-46f4 |
electron: Electron: Memory corruption or application crash via use-after-free in permission request handling |
Affected by 4 other vulnerabilities. Affected by 13 other vulnerabilities. Affected by 12 other vulnerabilities. Affected by 10 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||