CVE-2026-34780
Published:April 04, 2026
Updated:April 20, 2026
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. From versions 39.0.0-alpha.1 to before 39.8.0, 40.0.0-alpha.1 to before 40.7.0, and 41.0.0-alpha.1 to before 41.0.0-beta.8, apps that pass VideoFrame objects (from the WebCodecs API) across the contextBridge are vulnerable to a context isolation bypass. An attacker who can execute JavaScript in the main world (for example, via XSS) can use a bridged VideoFrame to gain access to the isolated world, including any Node.js APIs exposed to the preload script. Apps are only affected if a preload script returns, resolves, or passes a VideoFrame object to the main world via contextBridge.exposeInMainWorld(). Apps that do not bridge VideoFrame objects are not affected. This issue has been patched in versions 39.8.0, 40.7.0, and 41.0.0-beta.8.
Affected Packages
electron (NPM):
Affected version(s) >=39.0.0-alpha.1 <39.8.0Fix Suggestion:
Update to version 39.8.0electron (NPM):
Affected version(s) >=41.0.0-alpha.1 <41.0.0-beta.8Fix Suggestion:
Update to version 41.0.0-beta.8electron (NPM):
Affected version(s) >=40.0.0-alpha.2 <40.7.0Fix Suggestion:
Update to version 40.7.0Related Resources (3)
Do you need more information?
Contact UsCVSS v4
Base Score:
9
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
PASSIVE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
HIGH
Subsequent System Integrity
HIGH
Subsequent System Availability
HIGH
CVSS v3
Base Score:
8.3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
EPSS
Base Score:
0.03
