CVE-2026-34767

EPSS 0.03%
Veröffentlicht 03.04.2026 23:43:09
Zuletzt bearbeitet 09.04.2026 16:16:48
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.3, 40.8.3, and 41.0.3, apps that register custom protocol handlers via protocol.handle() / protocol.registerSchemesAsPrivileged() or modify response headers via webRequest.onHeadersReceived may be vulnerable to HTTP response header injection if attacker-controlled input is reflected into a response header name or value. An attacker who can influence a header value may be able to inject additional response headers, affecting cookies, content security policy, or cross-origin access controls. Apps that do not reflect external input into response headers are not affected. This issue has been patched in versions 38.8.6, 39.8.3, 40.8.3, and 41.0.3.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 4

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Electronjs ≫ Electron SwPlatformnode.js Version < 38.8.6

Electronjs ≫ Electron SwPlatformnode.js Version >= 39.0.0 < 39.8.3

Electronjs ≫ Electron SwPlatformnode.js Version >= 40.0.0 < 40.8.3

Electronjs ≫ Electron SwPlatformnode.js Version >= 41.0.0 < 41.0.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.093

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
security-advisories@github.com	5.9	1.6	4.2	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N

CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.

CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

https://github.com/electron/electron/security/advisories/GHSA-4p4r-m79c-wq3v

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-34767

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-34767

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-34767

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-34767