CVE-2026-34767

Name of the Vulnerable Software and Affected Versions Electron versions prior to 38.8.6, 39.8.3, 40.8.3, and 41.0.3

Description Applications using Electron that register custom protocol handlers via protocol.handle() / protocol.registerSchemesAsPrivileged() or modify response headers via webRequest.onHeadersReceived may be susceptible to HTTP response header injection if attacker-controlled input is reflected into a response header name or value. An attacker influencing a header value could inject additional response headers, potentially affecting cookies, content security policy, or cross-origin access controls. Applications that do not reflect external input into response headers are not affected.

Recommendations Versions prior to 38.8.6: Validate or sanitize any untrusted input before including it in a response header name or value. Versions prior to 39.8.3: Validate or sanitize any untrusted input before including it in a response header name or value. Versions prior to 40.8.3: Validate or sanitize any untrusted input before including it in a response header name or value. Versions prior to 41.0.3: Validate or sanitize any untrusted input before including it in a response header name or value.