CVE-2026-34769: Electron WebPreferences Command Injection (≤38.8.6)
Plattform
nodejs
Komponente
electron
Behoben in
38.8.6
CVE-2026-34769 describes a command injection vulnerability within Electron. Specifically, an undocumented `commandLineSwitches` webPreference allows arbitrary switches to be appended to the renderer process command line, potentially disabling renderer sandboxing or web security controls. This impacts applications that construct `webPreferences` from external or untrusted input without an allowlist. The vulnerability affects Electron versions up to and including 38.8.6. The fix involves avoiding spreading untrusted input directly into `webPreferences`.
So beheben
Kein offizieller Patch verfügbar. Prüfe auf Workarounds oder überwache auf Updates.
Häufig gestellte Fragen
What is CVE-2026-34769?
CVE-2026-34769 is a command injection vulnerability in Electron that allows attackers to inject arbitrary command-line switches into the renderer process via the `webPreferences` object.
Am I affected by CVE-2026-34769?
You are likely affected if your Electron application constructs `webPreferences` from external or untrusted input without proper sanitization or an allowlist, and you are using Electron version 38.8.6 or earlier.
How can I fix or mitigate CVE-2026-34769?
To fix this vulnerability, avoid spreading untrusted input directly into the `webPreferences` object. Sanitize or use an allowlist to control which properties are used to construct `webPreferences`.
Abhängigkeiten automatisch überwachen
Werde benachrichtigt, wenn neue Schwachstellen deine Projekte betreffen. Für immer kostenlos.
Kostenlos starten