CVE-2026-34769

Name of the Vulnerable Software and Affected Versions Electron versions prior to 38.8.6, prior to 39.8.0, prior to 40.7.0, and prior to 41.0.0-beta.8.

Description An undocumented commandLineSwitches webPreference allowed arbitrary switches to be appended to the renderer process command line. Applications that construct webPreferences by spreading untrusted configuration objects may inadvertently allow an attacker to inject switches that disable renderer sandboxing or web security controls. Applications are only affected if they construct webPreferences from external or untrusted input without an allowlist. Applications that use a fixed, hardcoded webPreferences object are not affected.

Recommendations Do not spread untrusted input into webPreferences. Use an explicit allowlist of permitted preference keys when constructing BrowserWindow or webContents options from external configuration.