Search for packages
| purl | pkg:npm/electron@40.8.2 |
| Next non-vulnerable version | 40.8.5 |
| Latest non-vulnerable version | 42.0.0-alpha.5 |
| Risk | 3.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-7yvz-624p-m7fe
Aliases: CVE-2026-34764 GHSA-8x5q-pvf5-64mp |
Electron: Use-after-free in offscreen shared texture release() callback |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-cjzy-nxnq-ffdp
Aliases: CVE-2026-34775 GHSA-xwr5-m59h-vwqr |
Electron: nodeIntegrationInWorker not correctly scoped in shared renderer processes ### Impact The `nodeIntegrationInWorker` webPreference was not correctly scoped in all configurations. In certain process-sharing scenarios, workers spawned in frames configured with `nodeIntegrationInWorker: false` could still receive Node.js integration. Apps are only affected if they enable `nodeIntegrationInWorker`. Apps that do not use `nodeIntegrationInWorker` are not affected. ### Workarounds Avoid enabling `nodeIntegrationInWorker` in apps that also open child windows or embed content with differing webPreferences. ### Fixed Versions * `41.0.0` * `40.8.4` * `39.8.4` * `38.8.6` ### For more information If there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org) |
Affected by 1 other vulnerability. Affected by 2 other vulnerabilities. |
|
VCID-t1z9-bmnv-57bm
Aliases: CVE-2026-34767 GHSA-4p4r-m79c-wq3v |
Electron: HTTP Response Header Injection in custom protocol handlers and webRequest ### Impact Apps that register custom protocol handlers via `protocol.handle()` / `protocol.registerSchemesAsPrivileged()` or modify response headers via `webRequest.onHeadersReceived` may be vulnerable to HTTP response header injection if attacker-controlled input is reflected into a response header name or value. An attacker who can influence a header value may be able to inject additional response headers, affecting cookies, content security policy, or cross-origin access controls. Apps that do not reflect external input into response headers are not affected. ### Workarounds Validate or sanitize any untrusted input before including it in a response header name or value. ### Fixed Versions * `41.0.3` * `40.8.3` * `39.8.3` * `38.8.6` ### For more information If there are any questions or comments about this advisory, send an email to [security@electronjs.org](mailto:security@electronjs.org) |
Affected by 2 other vulnerabilities. Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-05-06T16:51:37.172629+00:00 | GitLab Importer | Affected by | VCID-cjzy-nxnq-ffdp | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/electron/CVE-2026-34775.yml | 38.6.0 |
| 2026-05-06T16:49:21.433898+00:00 | GitLab Importer | Affected by | VCID-t1z9-bmnv-57bm | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/electron/CVE-2026-34767.yml | 38.6.0 |
| 2026-05-06T16:48:57.420277+00:00 | GitLab Importer | Affected by | VCID-7yvz-624p-m7fe | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/electron/CVE-2026-34764.yml | 38.6.0 |