VulnerableCode Package Details - pkg:npm/electron@40.8.4

Search for packages

Vulnerability	Summary	Fixed by
VCID-7yvz-624p-m7fe Aliases: CVE-2026-34764 GHSA-8x5q-pvf5-64mp	Electron: Use-after-free in offscreen shared texture release() callback	40.8.5 Affected by 0 other vulnerabilities. 41.1.0 Affected by 0 other vulnerabilities. 42.0.0-alpha.5 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-7yvz-624p-m7fe
Aliases:
CVE-2026-34764
GHSA-8x5q-pvf5-64mp

Electron: Use-after-free in offscreen shared texture release() callback

40.8.5
Affected by 0 other vulnerabilities.

41.1.0
Affected by 0 other vulnerabilities.

42.0.0-alpha.5
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-cjzy-nxnq-ffdp	Electron: nodeIntegrationInWorker not correctly scoped in shared renderer processes ### Impact The `nodeIntegrationInWorker` webPreference was not correctly scoped in all configurations. In certain process-sharing scenarios, workers spawned in frames configured with `nodeIntegrationInWorker: false` could still receive Node.js integration. Apps are only affected if they enable `nodeIntegrationInWorker`. Apps that do not use `nodeIntegrationInWorker` are not affected. ### Workarounds Avoid enabling `nodeIntegrationInWorker` in apps that also open child windows or embed content with differing webPreferences. ### Fixed Versions * `41.0.0` * `40.8.4` * `39.8.4` * `38.8.6` ### For more information If there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org)	CVE-2026-34775 GHSA-xwr5-m59h-vwqr

Vulnerability

Summary

Aliases

VCID-cjzy-nxnq-ffdp

Electron: nodeIntegrationInWorker not correctly scoped in shared renderer processes ### Impact The `nodeIntegrationInWorker` webPreference was not correctly scoped in all configurations. In certain process-sharing scenarios, workers spawned in frames configured with `nodeIntegrationInWorker: false` could still receive Node.js integration. Apps are only affected if they enable `nodeIntegrationInWorker`. Apps that do not use `nodeIntegrationInWorker` are not affected. ### Workarounds Avoid enabling `nodeIntegrationInWorker` in apps that also open child windows or embed content with differing webPreferences. ### Fixed Versions * `41.0.0` * `40.8.4` * `39.8.4` * `38.8.6` ### For more information If there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org)

CVE-2026-34775
GHSA-xwr5-m59h-vwqr

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-05-06T16:48:57.427579+00:00	GitLab Importer	Affected by	VCID-7yvz-624p-m7fe	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/electron/CVE-2026-34764.yml	38.6.0
2026-05-05T12:40:50.738661+00:00	GitLab Importer	Fixing	VCID-cjzy-nxnq-ffdp	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/electron/CVE-2026-34775.yml	38.6.0
2026-04-04T14:32:50.962974+00:00	GHSA Importer	Fixing	VCID-cjzy-nxnq-ffdp	https://github.com/advisories/GHSA-xwr5-m59h-vwqr	38.1.0
2026-04-03T21:42:20.152289+00:00	GithubOSV Importer	Fixing	VCID-cjzy-nxnq-ffdp	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-xwr5-m59h-vwqr/GHSA-xwr5-m59h-vwqr.json	38.1.0