VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-t1z9-bmnv-57bm

Essentials
Severities (25)
References (7)
Severity details (10)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-t1z9-bmnv-57bm
Aliases	CVE-2026-34767 GHSA-4p4r-m79c-wq3v
Summary	Electron: HTTP Response Header Injection in custom protocol handlers and webRequest ### Impact Apps that register custom protocol handlers via `protocol.handle()` / `protocol.registerSchemesAsPrivileged()` or modify response headers via `webRequest.onHeadersReceived` may be vulnerable to HTTP response header injection if attacker-controlled input is reflected into a response header name or value. An attacker who can influence a header value may be able to inject additional response headers, affecting cookies, content security policy, or cross-origin access controls. Apps that do not reflect external input into response headers are not affected. ### Workarounds Validate or sanitize any untrusted input before including it in a response header name or value. ### Fixed Versions * `41.0.3` * `40.8.3` * `39.8.3` * `38.8.6` ### For more information If there are any questions or comments about this advisory, send an email to [security@electronjs.org](mailto:security@electronjs.org)
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (5)

CWE-113	Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
CWE-74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-140	Improper Neutralization of Delimiters
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	5.9	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34767.json
epss	0.00011	https://api.first.org/data/v1/epss?cve=CVE-2026-34767
epss	0.00011	https://api.first.org/data/v1/epss?cve=CVE-2026-34767
epss	0.00011	https://api.first.org/data/v1/epss?cve=CVE-2026-34767
epss	0.00011	https://api.first.org/data/v1/epss?cve=CVE-2026-34767
epss	0.00011	https://api.first.org/data/v1/epss?cve=CVE-2026-34767
epss	0.00011	https://api.first.org/data/v1/epss?cve=CVE-2026-34767
epss	0.00029	https://api.first.org/data/v1/epss?cve=CVE-2026-34767
epss	0.00029	https://api.first.org/data/v1/epss?cve=CVE-2026-34767
epss	0.00029	https://api.first.org/data/v1/epss?cve=CVE-2026-34767
epss	0.00031	https://api.first.org/data/v1/epss?cve=CVE-2026-34767
epss	0.00032	https://api.first.org/data/v1/epss?cve=CVE-2026-34767
epss	0.00032	https://api.first.org/data/v1/epss?cve=CVE-2026-34767
epss	0.00032	https://api.first.org/data/v1/epss?cve=CVE-2026-34767
epss	0.00032	https://api.first.org/data/v1/epss?cve=CVE-2026-34767
epss	0.00032	https://api.first.org/data/v1/epss?cve=CVE-2026-34767
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-4p4r-m79c-wq3v
cvssv3.1	5.9	https://github.com/electron/electron
generic_textual	MODERATE	https://github.com/electron/electron
cvssv3.1	5.9	https://github.com/electron/electron/security/advisories/GHSA-4p4r-m79c-wq3v
cvssv3.1_qr	MODERATE	https://github.com/electron/electron/security/advisories/GHSA-4p4r-m79c-wq3v
generic_textual	MODERATE	https://github.com/electron/electron/security/advisories/GHSA-4p4r-m79c-wq3v
ssvc	Track	https://github.com/electron/electron/security/advisories/GHSA-4p4r-m79c-wq3v
cvssv3.1	5.9	https://nvd.nist.gov/vuln/detail/CVE-2026-34767
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2026-34767

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34767.json
		https://api.first.org/data/v1/epss?cve=CVE-2026-34767
		https://github.com/electron/electron
		https://github.com/electron/electron/security/advisories/GHSA-4p4r-m79c-wq3v
		https://nvd.nist.gov/vuln/detail/CVE-2026-34767
2455000		https://bugzilla.redhat.com/show_bug.cgi?id=2455000
GHSA-4p4r-m79c-wq3v		https://github.com/advisories/GHSA-4p4r-m79c-wq3v

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34767.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N Found at https://github.com/electron/electron

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N Found at https://github.com/electron/electron/security/advisories/GHSA-4p4r-m79c-wq3v

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-06T19:07:46Z/ Found at https://github.com/electron/electron/security/advisories/GHSA-4p4r-m79c-wq3v

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-34767

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.01274
EPSS Score	0.00011
Published At	April 21, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-03T21:42:24.794829+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-4p4r-m79c-wq3v/GHSA-4p4r-m79c-wq3v.json	38.1.0