anonhaven
Ad

CVE-2026-34769

HIGH CVSS 3.1: 7.8 EPSS 0.01%
Updated Apr 09, 2026
Electron
Parameter Value
CVSS 7.8 (HIGH)
Affected Versions 39.0.0 — 40.7.0
Fixed In 38.8.6
Type CWE-88, CWE-912
Vendor Electron
Public PoC No

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8, an undocumented commandLineSwitches webPreference allowed arbitrary switches to be appended to the renderer process command line. Apps that construct webPreferences by spreading untrusted configuration objects may inadvertently allow an attacker to inject switches that disable renderer sandboxing or web security controls.

Apps are only affected if they construct webPreferences from external or untrusted input without an allowlist. Apps that use a fixed, hardcoded webPreferences object are not affected. This issue has been patched in versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8.

Attack Parameters

Attack Vector
Local
Requires local access
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
Required
User action required

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
High
Complete denial of service

CVSS Vector v3.1

Weakness Type (CWE)

CWE-88
CWE-912

Vulnerable Products 16

Configuration From (including) Up to (excluding)
Electronjs Electron
cpe:2.3:a:electronjs:electron:*:*:*:*:*:node.js:*:*
 38.8.6
Electronjs Electron
cpe:2.3:a:electronjs:electron:*:*:*:*:*:node.js:*:*
 39.0.0 39.8.0
Electronjs Electron
cpe:2.3:a:electronjs:electron:*:*:*:*:*:node.js:*:*
 40.0.0 40.7.0
Electronjs Electron
cpe:2.3:a:electronjs:electron:41.0.0:alpha1:*:*:*:node.js:*:*
Electronjs Electron
cpe:2.3:a:electronjs:electron:41.0.0:alpha2:*:*:*:node.js:*:*
Electronjs Electron
cpe:2.3:a:electronjs:electron:41.0.0:alpha3:*:*:*:node.js:*:*
Electronjs Electron
cpe:2.3:a:electronjs:electron:41.0.0:alpha4:*:*:*:node.js:*:*
Electronjs Electron
cpe:2.3:a:electronjs:electron:41.0.0:alpha5:*:*:*:node.js:*:*
Electronjs Electron
cpe:2.3:a:electronjs:electron:41.0.0:alpha6:*:*:*:node.js:*:*
Electronjs Electron
cpe:2.3:a:electronjs:electron:41.0.0:beta1:*:*:*:node.js:*:*
Electronjs Electron
cpe:2.3:a:electronjs:electron:41.0.0:beta2:*:*:*:node.js:*:*
Electronjs Electron
cpe:2.3:a:electronjs:electron:41.0.0:beta3:*:*:*:node.js:*:*
Electronjs Electron
cpe:2.3:a:electronjs:electron:41.0.0:beta4:*:*:*:node.js:*:*
Electronjs Electron
cpe:2.3:a:electronjs:electron:41.0.0:beta5:*:*:*:node.js:*:*
Electronjs Electron
cpe:2.3:a:electronjs:electron:41.0.0:beta6:*:*:*:node.js:*:*
Electronjs Electron
cpe:2.3:a:electronjs:electron:41.0.0:beta7:*:*:*:node.js:*:*

References 1

https://github.com/electron/electron/security/advisories/GHSA-9wfr-w7mm-pc7f
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-34764

Electron

2.3

CVE-2026-34780

Electron

8.3

CVE-2026-34779

Electron

6.5

CVE-2026-34778

Electron

5.9

CVE-2026-34777

Electron

5.4