VulnerableCode Package Details - pkg:npm/electron@41.0.1

Search for packages

Vulnerability	Summary	Fixed by
VCID-7yvz-624p-m7fe Aliases: CVE-2026-34764 GHSA-8x5q-pvf5-64mp	Electron: Use-after-free in offscreen shared texture release() callback	41.1.0 Affected by 0 other vulnerabilities. 42.0.0-alpha.5 Affected by 0 other vulnerabilities.
VCID-t1z9-bmnv-57bm Aliases: CVE-2026-34767 GHSA-4p4r-m79c-wq3v	Electron: HTTP Response Header Injection in custom protocol handlers and webRequest ### Impact Apps that register custom protocol handlers via `protocol.handle()` / `protocol.registerSchemesAsPrivileged()` or modify response headers via `webRequest.onHeadersReceived` may be vulnerable to HTTP response header injection if attacker-controlled input is reflected into a response header name or value. An attacker who can influence a header value may be able to inject additional response headers, affecting cookies, content security policy, or cross-origin access controls. Apps that do not reflect external input into response headers are not affected. ### Workarounds Validate or sanitize any untrusted input before including it in a response header name or value. ### Fixed Versions * `41.0.3` * `40.8.3` * `39.8.3` * `38.8.6` ### For more information If there are any questions or comments about this advisory, send an email to [security@electronjs.org](mailto:security@electronjs.org)	41.0.3 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-7yvz-624p-m7fe
Aliases:
CVE-2026-34764
GHSA-8x5q-pvf5-64mp

Electron: Use-after-free in offscreen shared texture release() callback

41.1.0
Affected by 0 other vulnerabilities.

42.0.0-alpha.5
Affected by 0 other vulnerabilities.

VCID-t1z9-bmnv-57bm
Aliases:
CVE-2026-34767
GHSA-4p4r-m79c-wq3v

Electron: HTTP Response Header Injection in custom protocol handlers and webRequest ### Impact Apps that register custom protocol handlers via `protocol.handle()` / `protocol.registerSchemesAsPrivileged()` or modify response headers via `webRequest.onHeadersReceived` may be vulnerable to HTTP response header injection if attacker-controlled input is reflected into a response header name or value. An attacker who can influence a header value may be able to inject additional response headers, affecting cookies, content security policy, or cross-origin access controls. Apps that do not reflect external input into response headers are not affected. ### Workarounds Validate or sanitize any untrusted input before including it in a response header name or value. ### Fixed Versions * `41.0.3` * `40.8.3` * `39.8.3` * `38.8.6` ### For more information If there are any questions or comments about this advisory, send an email to [security@electronjs.org](mailto:security@electronjs.org)

41.0.3
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-05-06T16:49:21.505173+00:00	GitLab Importer	Affected by	VCID-t1z9-bmnv-57bm	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/electron/CVE-2026-34767.yml	38.6.0
2026-05-06T16:48:57.498912+00:00	GitLab Importer	Affected by	VCID-7yvz-624p-m7fe	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/electron/CVE-2026-34764.yml	38.6.0

2026-05-06T16:49:21.505173+00:00

GitLab Importer

Affected by

VCID-t1z9-bmnv-57bm

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/electron/CVE-2026-34767.yml

38.6.0

2026-05-06T16:48:57.498912+00:00

GitLab Importer

Affected by

VCID-7yvz-624p-m7fe

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/electron/CVE-2026-34764.yml

38.6.0

Next non-vulnerable version	41.1.0
Latest non-vulnerable version	42.0.0-alpha.5
Risk	3.1