CVE-2026-34778

Name of the Vulnerable Software and Affected Versions Electron versions prior to 38.8.6, 39.8.1, 40.8.1, and 41.0.0

Description Electron is a framework used for building cross-platform desktop applications with JavaScript, HTML, and CSS. A service worker could potentially manipulate responses on the internal IPC channel used by webContents.executeJavaScript() and similar methods. This could lead to the main process receiving data controlled by an attacker. Applications utilizing service workers and relying on the outcome of webContents.executeJavaScript() or webFrameMain.executeJavaScript() for security-critical operations are susceptible. The webContents.executeJavaScript() function is used to execute JavaScript code in a web page. The vulnerability involves spoofing reply messages on the internal IPC channel, which could allow an attacker to control the data returned to the main process.

Recommendations Versions prior to 38.8.6 should be updated to version 38.8.6 or later. Versions prior to 39.8.1 should be updated to version 39.8.1 or later. Versions prior to 40.8.1 should be updated to version 40.8.1 or later. Versions prior to 41.0.0 should be updated to version 41.0.0 or later. Do not rely on the return value of webContents.executeJavaScript() for security decisions. Utilize dedicated, validated IPC channels for secure communication with renderers.