CVE-2026-34773

CVSS v3.1

4.7

Medium

AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N

Impact

On Windows, app.setAsDefaultProtocolClient(protocol) did not validate the protocol name before writing to the registry. Apps that pass untrusted input as the protocol name may allow an attacker to write to arbitrary subkeys under HKCUSoftwareClasses, potentially hijacking existing protocol handlers.

Apps are only affected if they call app.setAsDefaultProtocolClient() with a protocol name derived from external or untrusted input. Apps that use a hardcoded protocol name are not affected.

Workarounds

Validate the protocol name matches /^[a-zA-Z][a-zA-Z0-9+.-]*$/ before passing it to app.setAsDefaultProtocolClient().

Fixed Versions

41.0.0
40.8.1
39.8.1
38.8.6

For more information

If there are any questions or comments about this advisory, please email security@electronjs.org

Fix

Special Elements Injection

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74CWE-20

Related Identifiers

CVE-2026-34773

GHSA-MWMH-MQ4G-G6GR

Affected Products

Electron

CVE-2026-34773

Impact

Workarounds

Fixed Versions

For more information

Weakness Enumeration

Related Identifiers

Affected Products

References · 3