CVE-2026-34780: Electron Context Isolation Bypass (High)
Plattform
nodejs
Komponente
electron
Behoben in
39.8.0
CVE-2026-34780 describes a context isolation bypass vulnerability affecting Electron applications. Specifically, apps passing `VideoFrame` objects via the `contextBridge` are susceptible, potentially allowing an attacker with JavaScript execution in the main world (e.g., via XSS) to access the isolated world and Node.js APIs. This impacts Electron versions 39.0.0-alpha.1 through 39.8.0. No official patch is currently available.
So beheben
Kein offizieller Patch verfügbar. Prüfe auf Workarounds oder überwache auf Updates.
Häufig gestellte Fragen
What is CVE-2026-34780?
CVE-2026-34780 is a context isolation bypass vulnerability in Electron. It allows an attacker with XSS to bypass context isolation via `VideoFrame` objects passed through the `contextBridge`.
Am I affected by CVE-2026-34780?
You are affected if your Electron application (versions 39.0.0-alpha.1 through 39.8.0) uses a preload script that returns, resolves, or passes a `VideoFrame` object to the main world via `contextBridge.exposeInMainWorld()`.
How can I fix or mitigate CVE-2026-34780?
Currently, there is no official patch. As a workaround, avoid passing `VideoFrame` objects from the WebCodecs API across the `contextBridge` to prevent exploitation.
Abhängigkeiten automatisch überwachen
Werde benachrichtigt, wenn neue Schwachstellen deine Projekte betreffen. Für immer kostenlos.
Kostenlos starten