Plattform
javascript
Komponente
electron
Behoben in
39.8.6
40.0.1
41.0.1
42.0.1
CVE-2026-34765 is a security vulnerability affecting the Electron framework, used for building cross-platform desktop applications. This issue arises from an incorrect scoping of named-window lookups when using window.open() in renderers. Exploitation could allow a malicious renderer to navigate a child window opened by a different renderer, potentially leading to unauthorized actions. Affected versions include Electron 39.0.0 through 41.1.0 and 42.0.0-alpha.1 to 42.0.0-alpha.4; a fix is available in Electron 39.8.5.
The core of this vulnerability lies in Electron's handling of window.open() calls with target names. Prior to the fix, Electron didn't properly scope these lookups to the opener's browsing context group. This means a malicious renderer could potentially hijack a child window opened by a legitimate application, provided both renderers use the same target name. The severity is amplified if the hijacked child window was created with more permissive webPreferences – for example, if nodeIntegration or contextIsolation are disabled. An attacker could then execute arbitrary JavaScript within the context of the hijacked window, potentially stealing sensitive data, modifying the application's behavior, or launching further attacks.
As of the publication date (2026-04-07), this CVE has not been listed on KEV or EPSS. The CVSS score of 6 (MEDIUM) suggests a moderate probability of exploitation. Public proof-of-concept (POC) code is currently unavailable, but the vulnerability's nature makes it likely that a POC will emerge as attackers begin to analyze it. Monitor security advisories and vulnerability databases for updates.
Applications built using Electron that utilize shared target names for window.open() calls are at risk. This includes desktop applications that integrate web content or rely on complex window management. Developers using Electron's setWindowOpenHandler with permissive webPreferences are particularly vulnerable, as they may inadvertently grant attackers greater control over hijacked windows.
• linux / server: Monitor Electron application logs for unusual window navigation events or errors related to target name resolution. Use ps and lsof to identify running Electron processes and their associated files.
lsof -p $(pgrep electron)• generic web: Inspect network traffic for unexpected requests originating from Electron applications, particularly those involving window navigation. Use browser developer tools to monitor window.open() calls and their target names.
• javascript: Review Electron application code for instances of window.open() with shared target names. Look for code that might be vulnerable to cross-renderer context manipulation.
disclosure
Exploit-Status
EPSS
0.06% (18% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-34765 is to upgrade to Electron version 39.8.5 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing stricter webPreferences when creating child windows using setWindowOpenHandler. Specifically, ensure nodeIntegration is disabled and contextIsolation is enabled to limit the attacker's ability to execute arbitrary code. Additionally, review your application's code for any instances where target names are used in window.open() calls and consider refactoring to avoid them if possible. There are no specific WAF rules or detection signatures readily available for this vulnerability, as it relies on application-level interaction.
Actualice a la versión 39.8.5, 40.8.5, 41.1.0 o 42.0.0-alpha.5 o superior. Revise el uso de `setWindowOpenHandler` para evitar la asignación de privilegios excesivos a las ventanas secundarias. Si es posible, evite el uso de `nodeIntegration: true` o `sandbox: false` en las ventanas secundarias.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-34765 is a medium severity vulnerability in Electron where a renderer can navigate a child window opened by another renderer using the same target name, potentially leading to unauthorized access.
You are affected if you are using Electron versions 39.0.0 through 41.1.0 or 42.0.0-alpha.1 to 42.0.0-alpha.4 and utilize shared target names in window.open() calls.
Upgrade to Electron version 39.8.5 or later. Consider stricter controls on target names and review webPreferences settings.
There is currently no indication of active exploitation in the wild, but the vulnerability's nature makes it a potential target.
Refer to the Electron security advisories on the Electron GitHub repository for official details: https://github.com/electron/electron/security/advisories
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.