CVE-2026-34777
Last modified
CVE-2026-34777 is a medium-severity vulnerability rated 5.4/10 on the CVSS scale. Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0, when an iframe requests fullscreen, pointerLock, keyboardLock, openExternal, or media permissions, the origin passed to session.setPermissionRequestHandler() was the top-level page's origin rather than the requesting iframe's origin. EPSS estimates a 0.12% chance of exploitation in the next 30 days.
Description
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0, when an iframe requests fullscreen, pointerLock, keyboardLock, openExternal, or media permissions, the origin passed to session.setPermissionRequestHandler() was the top-level page's origin rather than the requesting iframe's origin. Apps that grant permissions based on the origin parameter or webContents.getURL() may inadvertently grant permissions to embedded third-party content. The correct requesting URL remains available via details.requestingUrl. Apps that already check details.requestingUrl are not affected. This issue has been patched in versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions | Update |
|---|---|---|---|
| Electronjs | Electron | < 38.8.6 | — |
| Electronjs | Electron | >= 39.0.0, < 39.8.1 | — |
| Electronjs | Electron | >= 40.0.0, < 40.8.1 | — |
| Electronjs | Electron | 41.0.0 | Alpha1 |
References
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-34777?
How severe is CVE-2026-34777?
How do I fix CVE-2026-34777?
Are you affected by CVE-2026-34777?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST