VulnerableCode Package Details - pkg:npm/electron@41.0.3

Search for packages

Vulnerability	Summary	Fixed by
VCID-7yvz-624p-m7fe Aliases: CVE-2026-34764 GHSA-8x5q-pvf5-64mp	Electron: Use-after-free in offscreen shared texture release() callback	41.1.0 Affected by 0 other vulnerabilities. 42.0.0-alpha.5 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-7yvz-624p-m7fe
Aliases:
CVE-2026-34764
GHSA-8x5q-pvf5-64mp

Electron: Use-after-free in offscreen shared texture release() callback

41.1.0
Affected by 0 other vulnerabilities.

42.0.0-alpha.5
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-t1z9-bmnv-57bm	Electron: HTTP Response Header Injection in custom protocol handlers and webRequest ### Impact Apps that register custom protocol handlers via `protocol.handle()` / `protocol.registerSchemesAsPrivileged()` or modify response headers via `webRequest.onHeadersReceived` may be vulnerable to HTTP response header injection if attacker-controlled input is reflected into a response header name or value. An attacker who can influence a header value may be able to inject additional response headers, affecting cookies, content security policy, or cross-origin access controls. Apps that do not reflect external input into response headers are not affected. ### Workarounds Validate or sanitize any untrusted input before including it in a response header name or value. ### Fixed Versions * `41.0.3` * `40.8.3` * `39.8.3` * `38.8.6` ### For more information If there are any questions or comments about this advisory, send an email to [security@electronjs.org](mailto:security@electronjs.org)	CVE-2026-34767 GHSA-4p4r-m79c-wq3v

Vulnerability

Summary

Aliases

VCID-t1z9-bmnv-57bm

Electron: HTTP Response Header Injection in custom protocol handlers and webRequest ### Impact Apps that register custom protocol handlers via `protocol.handle()` / `protocol.registerSchemesAsPrivileged()` or modify response headers via `webRequest.onHeadersReceived` may be vulnerable to HTTP response header injection if attacker-controlled input is reflected into a response header name or value. An attacker who can influence a header value may be able to inject additional response headers, affecting cookies, content security policy, or cross-origin access controls. Apps that do not reflect external input into response headers are not affected. ### Workarounds Validate or sanitize any untrusted input before including it in a response header name or value. ### Fixed Versions * `41.0.3` * `40.8.3` * `39.8.3` * `38.8.6` ### For more information If there are any questions or comments about this advisory, send an email to [security@electronjs.org](mailto:security@electronjs.org)

CVE-2026-34767
GHSA-4p4r-m79c-wq3v

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-05-06T16:48:57.507008+00:00	GitLab Importer	Affected by	VCID-7yvz-624p-m7fe	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/electron/CVE-2026-34764.yml	38.6.0
2026-05-05T12:40:47.357076+00:00	GitLab Importer	Fixing	VCID-t1z9-bmnv-57bm	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/electron/CVE-2026-34767.yml	38.6.0
2026-04-04T14:32:50.068248+00:00	GHSA Importer	Fixing	VCID-t1z9-bmnv-57bm	https://github.com/advisories/GHSA-4p4r-m79c-wq3v	38.1.0
2026-04-03T21:42:24.881852+00:00	GithubOSV Importer	Fixing	VCID-t1z9-bmnv-57bm	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-4p4r-m79c-wq3v/GHSA-4p4r-m79c-wq3v.json	38.1.0