CVE-2026-34777

EPSS 0.12%
Veröffentlicht 03.04.2026 23:57:36
Zuletzt bearbeitet 20.04.2026 14:19:18
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Electron: Incorrect origin passed to permission request handler for iframe requests

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0, when an iframe requests fullscreen, pointerLock, keyboardLock, openExternal, or media permissions, the origin passed to session.setPermissionRequestHandler() was the top-level page's origin rather than the requesting iframe's origin. Apps that grant permissions based on the origin parameter or webContents.getURL() may inadvertently grant permissions to embedded third-party content. The correct requesting URL remains available via details.requestingUrl. Apps that already check details.requestingUrl are not affected. This issue has been patched in versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

NVD 17 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Electronjs ≫ Electron SwPlatformnode.js Version < 38.8.6

Electronjs ≫ Electron SwPlatformnode.js Version >= 39.0.0 < 39.8.1

Electronjs ≫ Electron SwPlatformnode.js Version >= 40.0.0 < 40.8.1

Electronjs ≫ Electron Version41.0.0 Updatealpha1 SwPlatformnode.js

Electronjs ≫ Electron Version41.0.0 Updatealpha2 SwPlatformnode.js

Electronjs ≫ Electron Version41.0.0 Updatealpha3 SwPlatformnode.js

Electronjs ≫ Electron Version41.0.0 Updatealpha4 SwPlatformnode.js

Electronjs ≫ Electron Version41.0.0 Updatealpha5 SwPlatformnode.js

Electronjs ≫ Electron Version41.0.0 Updatealpha6 SwPlatformnode.js

Electronjs ≫ Electron Version41.0.0 Updatebeta1 SwPlatformnode.js

Electronjs ≫ Electron Version41.0.0 Updatebeta2 SwPlatformnode.js

Electronjs ≫ Electron Version41.0.0 Updatebeta3 SwPlatformnode.js

Electronjs ≫ Electron Version41.0.0 Updatebeta4 SwPlatformnode.js

Electronjs ≫ Electron Version41.0.0 Updatebeta5 SwPlatformnode.js

Electronjs ≫ Electron Version41.0.0 Updatebeta6 SwPlatformnode.js

Electronjs ≫ Electron Version41.0.0 Updatebeta7 SwPlatformnode.js

Electronjs ≫ Electron Version41.0.0 Updatebeta8 SwPlatformnode.js

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.12%	0.023

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	5.4	2.8	2.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CWE-346 Origin Validation Error

The product does not properly verify that the source of data or communication is valid.

https://github.com/electron/electron/security/advisories/GHSA-r5p7-gp4j-qhrx

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-34777

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-34777

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-34777

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-34777