Platform
nodejs
Component
electron
Fixed in
38.8.7
39.0.1
40.0.1
41.0.1
38.8.6
CVE-2026-34778 describes a vulnerability in Electron where a service worker can spoof reply messages on the internal IPC channel used by webContents.executeJavaScript() and related methods. This allows an attacker to potentially control the data returned by these methods, leading to security-sensitive decisions being based on attacker-controlled information. The vulnerability affects Electron versions prior to 38.8.6 and can be mitigated by upgrading to the fixed version.
The impact of CVE-2026-34778 arises when applications register service workers and rely on the return value of webContents.executeJavaScript() or webFrameMain.executeJavaScript() for security-critical operations. An attacker could leverage this vulnerability to inject malicious data into the promise resolution of webContents.executeJavaScript(). This could lead to unauthorized actions, data breaches, or even complete compromise of the application, depending on how the returned data is used. The attacker essentially gains the ability to influence the application's behavior by manipulating the data it receives from the main process.
CVE-2026-34778 was publicly disclosed on 2026-04-03. Currently, there is no indication of active exploitation or a public proof-of-concept (POC). The vulnerability is not listed on the CISA KEV catalog. The medium CVSS score suggests a moderate level of exploitability and potential impact, warranting prompt remediation.
Exploit Status
EPSS
0.01% (3% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34778 is to upgrade to Electron version 38.8.6 or later. If upgrading immediately is not feasible, a critical workaround is to avoid trusting the return value of webContents.executeJavaScript() for any security-sensitive decisions. Instead, implement dedicated, validated IPC channels for secure communication between the renderer and main processes. Carefully review all instances where webContents.executeJavaScript() is used and ensure that the returned data is properly validated and sanitized before being used in any security-critical context. After upgrading, confirm the fix by testing the application's IPC communication and ensuring that the return values of webContents.executeJavaScript() are no longer susceptible to spoofing.
Update Electron to version 38.8.6, 39.8.1, 40.8.1, or 41.0.0 or later. Ensure that applications do not make security decisions based on the results of `webContents.executeJavaScript()` or `webFrameMain.executeJavaScript()` when service workers are used.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34778 is a vulnerability in Electron where a service worker can spoof IPC messages, potentially allowing attackers to control data returned by executeJavaScript().
You are affected if you use Electron versions prior to 38.8.6 and your application registers service workers and uses the return value of webContents.executeJavaScript() for security-sensitive decisions.
Upgrade to Electron version 38.8.6 or later. As a workaround, avoid trusting the return value of webContents.executeJavaScript() for security-sensitive decisions.
There is currently no indication of active exploitation or a public proof-of-concept.
Refer to the official Electron security advisory for details: [https://github.com/electron/electron/security/advisories/GHSA-xxxx-xxxx-xxxx](https://github.com/electron/electron/security/advisories/GHSA-xxxx-xxxx-xxxx) (replace with actual advisory URL)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.