CVE-2026-34778 MEDIUM

CVE-2026-34778: Electron: Service worker can spoof executeJavaScript IPC replies

Vendor Electron

Product electron

Weakness CWE-290

Published April 3, 2026

Last update April 6, 2026

View on NVD All CVEs

CVSS base score

5.9/10

Attack vector Network

Attack complexity High

Privileges required Low

User interaction None

Confidentiality Low

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N

What the vulnerability does

Description

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0, a service worker running in a session could spoof reply messages on the internal IPC channel used by webContents.executeJavaScript() and related methods, causing the main-process promise to resolve with attacker-controlled data. Apps are only affected if they have service workers registered and use the result of webContents.executeJavaScript() (or webFrameMain.executeJavaScript()) in security-sensitive decisions. This issue has been patched in versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0.

Key dates

Disclosure timeline

April 3, 2026 CVE published

April 6, 2026 Record updated

Identifiers

CVE CVE-2026-34778

CWE CWE-290

CVSS 5.9 / MEDIUM

Affected versions

Vendor Electron

Product electron

Affected < 38.8.6

Vendor Electron

Product electron

Affected >= 39.0.0-alpha.1, < 39.8.1

Vendor Electron

Product electron

Affected >= 40.0.0-alpha.1, < 40.8.1

Vendor Electron

Product electron

Affected >= 41.0.0-alpha.1, < 41.0.0