Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:npm/electron@40.8.1
purl pkg:npm/electron@40.8.1
Next non-vulnerable version 40.8.5
Latest non-vulnerable version 42.0.0-alpha.5
Risk 3.1
Vulnerabilities affecting this package (3)
Vulnerability Summary Fixed by
VCID-7yvz-624p-m7fe
Aliases:
CVE-2026-34764
GHSA-8x5q-pvf5-64mp
Electron: Use-after-free in offscreen shared texture release() callback
40.8.5
Affected by 0 other vulnerabilities.
41.1.0
Affected by 0 other vulnerabilities.
42.0.0-alpha.5
Affected by 0 other vulnerabilities.
VCID-cjzy-nxnq-ffdp
Aliases:
CVE-2026-34775
GHSA-xwr5-m59h-vwqr
Electron: nodeIntegrationInWorker not correctly scoped in shared renderer processes ### Impact The `nodeIntegrationInWorker` webPreference was not correctly scoped in all configurations. In certain process-sharing scenarios, workers spawned in frames configured with `nodeIntegrationInWorker: false` could still receive Node.js integration. Apps are only affected if they enable `nodeIntegrationInWorker`. Apps that do not use `nodeIntegrationInWorker` are not affected. ### Workarounds Avoid enabling `nodeIntegrationInWorker` in apps that also open child windows or embed content with differing webPreferences. ### Fixed Versions * `41.0.0` * `40.8.4` * `39.8.4` * `38.8.6` ### For more information If there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org)
40.8.4
Affected by 1 other vulnerability.
41.0.0
Affected by 2 other vulnerabilities.
VCID-t1z9-bmnv-57bm
Aliases:
CVE-2026-34767
GHSA-4p4r-m79c-wq3v
Electron: HTTP Response Header Injection in custom protocol handlers and webRequest ### Impact Apps that register custom protocol handlers via `protocol.handle()` / `protocol.registerSchemesAsPrivileged()` or modify response headers via `webRequest.onHeadersReceived` may be vulnerable to HTTP response header injection if attacker-controlled input is reflected into a response header name or value. An attacker who can influence a header value may be able to inject additional response headers, affecting cookies, content security policy, or cross-origin access controls. Apps that do not reflect external input into response headers are not affected. ### Workarounds Validate or sanitize any untrusted input before including it in a response header name or value. ### Fixed Versions * `41.0.3` * `40.8.3` * `39.8.3` * `38.8.6` ### For more information If there are any questions or comments about this advisory, send an email to [security@electronjs.org](mailto:security@electronjs.org)
40.8.3
Affected by 2 other vulnerabilities.
41.0.3
Affected by 1 other vulnerability.
Vulnerabilities fixed by this package (4)
Vulnerability Summary Aliases
VCID-2uv6-6zfm-x7c6 Electron: Registry key path injection in app.setAsDefaultProtocolClient on Windows ### Impact On Windows, `app.setAsDefaultProtocolClient(protocol)` did not validate the protocol name before writing to the registry. Apps that pass untrusted input as the protocol name may allow an attacker to write to arbitrary subkeys under `HKCU\Software\Classes\`, potentially hijacking existing protocol handlers. Apps are only affected if they call `app.setAsDefaultProtocolClient()` with a protocol name derived from external or untrusted input. Apps that use a hardcoded protocol name are not affected. ### Workarounds Validate the protocol name matches `/^[a-zA-Z][a-zA-Z0-9+.-]*$/` before passing it to `app.setAsDefaultProtocolClient()`. ### Fixed Versions * `41.0.0` * `40.8.1` * `39.8.1` * `38.8.6` ### For more information If there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org) CVE-2026-34773
GHSA-mwmh-mq4g-g6gr
VCID-gxk8-9wc6-wkhs Electron: Service worker can spoof executeJavaScript IPC replies ### Impact A service worker running in a session could spoof reply messages on the internal IPC channel used by `webContents.executeJavaScript()` and related methods, causing the main-process promise to resolve with attacker-controlled data. Apps are only affected if they have service workers registered and use the result of `webContents.executeJavaScript()` (or `webFrameMain.executeJavaScript()`) in security-sensitive decisions. ### Workarounds Do not trust the return value of `webContents.executeJavaScript()` for security decisions. Use dedicated, validated IPC channels for security-relevant communication with renderers. ### Fixed Versions * `41.0.0` * `40.8.1` * `39.8.1` * `38.8.6` ### For more information If there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org) CVE-2026-34778
GHSA-xj5x-m3f3-5x3h
VCID-k7gj-cczw-wfeb Electron: Incorrect origin passed to permission request handler for iframe requests ### Impact When an iframe requests `fullscreen`, `pointerLock`, `keyboardLock`, `openExternal`, or `media` permissions, the origin passed to `session.setPermissionRequestHandler()` was the top-level page's origin rather than the requesting iframe's origin. Apps that grant permissions based on the origin parameter or `webContents.getURL()` may inadvertently grant permissions to embedded third-party content. The correct requesting URL remains available via `details.requestingUrl`. Apps that already check `details.requestingUrl` are not affected. ### Workarounds In your `setPermissionRequestHandler`, inspect `details.requestingUrl` rather than the origin parameter or `webContents.getURL()` when deciding whether to grant `fullscreen`, `pointerLock`, `keyboardLock`, `openExternal`, or `media` permissions. ### Fixed Versions * `41.0.0` * `40.8.1` * `39.8.1` * `38.8.6` ### For more information If there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org) CVE-2026-34777
GHSA-r5p7-gp4j-qhrx
VCID-vda9-xbsz-d7fm Electron: Out-of-bounds read in second-instance IPC on macOS and Linux ### Impact On macOS and Linux, apps that call `app.requestSingleInstanceLock()` were vulnerable to an out-of-bounds heap read when parsing a crafted second-instance message. Leaked memory could be delivered to the app's `second-instance` event handler. This issue is limited to processes running as the same user as the Electron app. Apps that do not call `app.requestSingleInstanceLock()` are not affected. Windows is not affected by this issue. ### Workarounds There are no app side workarounds, developers must update to a patched version of Electron. ### Fixed Versions * `41.0.0` * `40.8.1` * `39.8.1` * `38.8.6` ### For more information If there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org) CVE-2026-34776
GHSA-3c8v-cfp5-9885

Date Actor Action Vulnerability Source VulnerableCode Version
2026-05-06T16:51:37.169009+00:00 GitLab Importer Affected by VCID-cjzy-nxnq-ffdp https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/electron/CVE-2026-34775.yml 38.6.0
2026-05-06T16:49:21.430239+00:00 GitLab Importer Affected by VCID-t1z9-bmnv-57bm https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/electron/CVE-2026-34767.yml 38.6.0
2026-05-06T16:48:57.415746+00:00 GitLab Importer Affected by VCID-7yvz-624p-m7fe https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/electron/CVE-2026-34764.yml 38.6.0
2026-05-05T12:40:50.523926+00:00 GitLab Importer Fixing VCID-gxk8-9wc6-wkhs https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/electron/CVE-2026-34778.yml 38.6.0
2026-05-05T12:40:48.735544+00:00 GitLab Importer Fixing VCID-2uv6-6zfm-x7c6 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/electron/CVE-2026-34773.yml 38.6.0
2026-05-05T12:40:48.396449+00:00 GitLab Importer Fixing VCID-k7gj-cczw-wfeb https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/electron/CVE-2026-34777.yml 38.6.0
2026-05-05T12:40:47.510567+00:00 GitLab Importer Fixing VCID-vda9-xbsz-d7fm https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/electron/CVE-2026-34776.yml 38.6.0
2026-04-04T14:32:51.344451+00:00 GHSA Importer Fixing VCID-gxk8-9wc6-wkhs https://github.com/advisories/GHSA-xj5x-m3f3-5x3h 38.1.0
2026-04-04T14:32:51.163600+00:00 GHSA Importer Fixing VCID-k7gj-cczw-wfeb https://github.com/advisories/GHSA-r5p7-gp4j-qhrx 38.1.0
2026-04-04T14:32:51.042567+00:00 GHSA Importer Fixing VCID-vda9-xbsz-d7fm https://github.com/advisories/GHSA-3c8v-cfp5-9885 38.1.0
2026-04-04T14:32:50.752926+00:00 GHSA Importer Fixing VCID-2uv6-6zfm-x7c6 https://github.com/advisories/GHSA-mwmh-mq4g-g6gr 38.1.0
2026-04-03T21:42:25.185517+00:00 GithubOSV Importer Fixing VCID-k7gj-cczw-wfeb https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-r5p7-gp4j-qhrx/GHSA-r5p7-gp4j-qhrx.json 38.1.0
2026-04-03T21:42:24.697239+00:00 GithubOSV Importer Fixing VCID-gxk8-9wc6-wkhs https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-xj5x-m3f3-5x3h/GHSA-xj5x-m3f3-5x3h.json 38.1.0
2026-04-03T21:42:21.373558+00:00 GithubOSV Importer Fixing VCID-2uv6-6zfm-x7c6 https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-mwmh-mq4g-g6gr/GHSA-mwmh-mq4g-g6gr.json 38.1.0
2026-04-03T21:42:20.404444+00:00 GithubOSV Importer Fixing VCID-vda9-xbsz-d7fm https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-3c8v-cfp5-9885/GHSA-3c8v-cfp5-9885.json 38.1.0