Lookup for vulnerable packages by Package URL.
| Purl | pkg:npm/electron@39.8.4 |
|---|
| Type | npm |
|---|
| Namespace | |
|---|
| Name | electron |
|---|
| Version | 39.8.4 |
|---|
| Qualifiers |
|
|---|
| Subpath | |
|---|
| Is_vulnerable | true |
|---|
| Next_non_vulnerable_version | 39.8.5 |
|---|
| Latest_non_vulnerable_version | 42.0.0-alpha.5 |
|---|
| Affected_by_vulnerabilities |
| 0 |
| url |
VCID-7yvz-624p-m7fe |
| vulnerability_id |
VCID-7yvz-624p-m7fe |
| summary |
Electron: Use-after-free in offscreen shared texture release() callback |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-34764 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00014 |
| scoring_system |
epss |
| scoring_elements |
0.02673 |
| published_at |
2026-04-11T12:55:00Z |
|
| 1 |
| value |
0.00014 |
| scoring_system |
epss |
| scoring_elements |
0.027 |
| published_at |
2026-04-09T12:55:00Z |
|
| 2 |
| value |
0.00014 |
| scoring_system |
epss |
| scoring_elements |
0.0268 |
| published_at |
2026-04-08T12:55:00Z |
|
| 3 |
| value |
0.00014 |
| scoring_system |
epss |
| scoring_elements |
0.02678 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00016 |
| scoring_system |
epss |
| scoring_elements |
0.03435 |
| published_at |
2026-05-05T12:55:00Z |
|
| 5 |
| value |
0.00019 |
| scoring_system |
epss |
| scoring_elements |
0.0489 |
| published_at |
2026-04-12T12:55:00Z |
|
| 6 |
| value |
0.00019 |
| scoring_system |
epss |
| scoring_elements |
0.05044 |
| published_at |
2026-04-29T12:55:00Z |
|
| 7 |
| value |
0.00019 |
| scoring_system |
epss |
| scoring_elements |
0.05045 |
| published_at |
2026-04-26T12:55:00Z |
|
| 8 |
| value |
0.00019 |
| scoring_system |
epss |
| scoring_elements |
0.05004 |
| published_at |
2026-04-24T12:55:00Z |
|
| 9 |
| value |
0.00019 |
| scoring_system |
epss |
| scoring_elements |
0.04973 |
| published_at |
2026-04-21T12:55:00Z |
|
| 10 |
| value |
0.00019 |
| scoring_system |
epss |
| scoring_elements |
0.04829 |
| published_at |
2026-04-18T12:55:00Z |
|
| 11 |
| value |
0.00019 |
| scoring_system |
epss |
| scoring_elements |
0.04871 |
| published_at |
2026-04-13T12:55:00Z |
|
| 12 |
| value |
0.00019 |
| scoring_system |
epss |
| scoring_elements |
0.04819 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-34764 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-34764, GHSA-8x5q-pvf5-64mp
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7yvz-624p-m7fe |
|
|
|---|
| Fixing_vulnerabilities |
| 0 |
| url |
VCID-cjzy-nxnq-ffdp |
| vulnerability_id |
VCID-cjzy-nxnq-ffdp |
| summary |
Electron: nodeIntegrationInWorker not correctly scoped in shared renderer processes
### Impact
The `nodeIntegrationInWorker` webPreference was not correctly scoped in all configurations. In certain process-sharing scenarios, workers spawned in frames configured with `nodeIntegrationInWorker: false` could still receive Node.js integration.
Apps are only affected if they enable `nodeIntegrationInWorker`. Apps that do not use `nodeIntegrationInWorker` are not affected.
### Workarounds
Avoid enabling `nodeIntegrationInWorker` in apps that also open child windows or embed content with differing webPreferences.
### Fixed Versions
* `41.0.0`
* `40.8.4`
* `39.8.4`
* `38.8.6`
### For more information
If there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org) |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-34775 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.0001 |
| scoring_system |
epss |
| scoring_elements |
0.01183 |
| published_at |
2026-04-21T12:55:00Z |
|
| 1 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01716 |
| published_at |
2026-04-29T12:55:00Z |
|
| 2 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01688 |
| published_at |
2026-04-26T12:55:00Z |
|
| 3 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01692 |
| published_at |
2026-04-24T12:55:00Z |
|
| 4 |
| value |
0.00013 |
| scoring_system |
epss |
| scoring_elements |
0.02059 |
| published_at |
2026-05-05T12:55:00Z |
|
| 5 |
| value |
0.00031 |
| scoring_system |
epss |
| scoring_elements |
0.08851 |
| published_at |
2026-04-08T12:55:00Z |
|
| 6 |
| value |
0.00031 |
| scoring_system |
epss |
| scoring_elements |
0.08839 |
| published_at |
2026-04-04T12:55:00Z |
|
| 7 |
| value |
0.00031 |
| scoring_system |
epss |
| scoring_elements |
0.08773 |
| published_at |
2026-04-07T12:55:00Z |
|
| 8 |
| value |
0.00033 |
| scoring_system |
epss |
| scoring_elements |
0.09618 |
| published_at |
2026-04-16T12:55:00Z |
|
| 9 |
| value |
0.00033 |
| scoring_system |
epss |
| scoring_elements |
0.09747 |
| published_at |
2026-04-12T12:55:00Z |
|
| 10 |
| value |
0.00033 |
| scoring_system |
epss |
| scoring_elements |
0.0959 |
| published_at |
2026-04-18T12:55:00Z |
|
| 11 |
| value |
0.00033 |
| scoring_system |
epss |
| scoring_elements |
0.09731 |
| published_at |
2026-04-13T12:55:00Z |
|
| 12 |
| value |
0.00033 |
| scoring_system |
epss |
| scoring_elements |
0.09767 |
| published_at |
2026-04-09T12:55:00Z |
|
| 13 |
| value |
0.00033 |
| scoring_system |
epss |
| scoring_elements |
0.0978 |
| published_at |
2026-04-11T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-34775 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-34775, GHSA-xwr5-m59h-vwqr
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-cjzy-nxnq-ffdp |
|
|
|---|
| Risk_score | 1.4 |
|---|
| Resource_url | http://public2.vulnerablecode.io/packages/pkg:npm/electron@39.8.4 |
|---|