Platform
nodejs
Component
electron
Fixed in
39.0.1
40.0.1
41.0.1
CVE-2026-34780 describes a context isolation bypass vulnerability affecting Electron applications. Specifically, apps that utilize the WebCodecs API and pass VideoFrame objects across the contextBridge are susceptible. An attacker exploiting this vulnerability can execute JavaScript in the main world (e.g., via XSS) to gain unauthorized access to the isolated world, potentially accessing Node.js APIs exposed to the preload script. This affects Electron versions 39.0.0-alpha.1 through 39.8.0. Currently, there is no official patch available.
CVE-2026-34780 affects Electron, a framework for building cross-platform desktop applications. The vulnerability lies in how VideoFrame objects (from the WebCodecs API) are handled when passed across a contextBridge. In versions 39.0.0-alpha.1 and prior to 39.8.0, 40.0.0-alpha.1 and prior to 40.7.0, and 41.0.0-alpha.1 and prior to 41.0.0-beta.8, an attacker who can execute JavaScript in the main world (e.g., via XSS) can use a bridged VideoFrame to bypass context isolation and potentially access protected resources. This could lead to arbitrary code execution or access to sensitive data within the Electron application.
Exploitation of this vulnerability requires an attacker to have the ability to execute JavaScript in the main context of the Electron application. This could be achieved through a Cross-Site Scripting (XSS) vulnerability in the application or through manipulation of a vulnerable component. Once the attacker has control over JavaScript in the main context, they can create a malicious VideoFrame and pass it across contextBridge to bypass context isolation and execute arbitrary code in the isolated context.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
CVSS Vector
The solution to this vulnerability is to update to a version of Electron that includes the fix. Affected versions are those prior to 39.8.0, 40.7.0, and 41.0.0-beta.8. It is highly recommended to update to the latest stable version of Electron available. Additionally, review your application's code to ensure that VideoFrame handling via contextBridge is performed securely and that sensitive data is not passed without proper validation. Implementing additional security controls, such as input validation and data sanitization, can help mitigate the risk.
Actualice a una versión de Electron que incluya la corrección, como 39.8.0, 40.7.0 o 41.0.0-beta.8. Asegúrese de que su preload script no esté exponiendo VideoFrame objects a través de contextBridge si no es absolutamente necesario. Revise su código para identificar y eliminar cualquier uso innecesario de VideoFrame objects en el contextoBridge.
Vulnerability analysis and critical alerts directly to your inbox.
contextBridge is a feature of Electron that allows web applications to securely communicate with the Node.js main process.
The WebCodecs API provides an interface for encoding and decoding media, such as video and audio, in the browser.
Check the version of Electron you are using. If it is prior to 39.8.0, 40.7.0, or 41.0.0-beta.8, it is vulnerable.
If you cannot update immediately, consider implementing additional mitigation measures, such as input validation and data sanitization.
Currently, there are no specific tools to detect this vulnerability, but a thorough code review is recommended.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.