Cross-Site Scripting Vulnerability in Electron Framework
CVE-2026-34777

5.4MEDIUM

Key Information:

Vendor: Electron
Status: Electron
Vendor: CVE Published:; 3 April 2026

What is CVE-2026-34777?

The Electron framework, utilized for developing cross-platform desktop applications, has a vulnerability where permission requests from iframes are incorrectly handled. In versions before 38.8.6, 39.8.1, 40.8.1, and 41.0.0, the permission origin used for key actions like fullscreen and media access mistakenly references the top-level page's origin instead of the specific iframe's. This mismanagement can lead to unauthorized permissions being granted to third-party content embedded within the application, posing significant security risks. Developers are advised to verify the requesting URL through details.requestingUrl to mitigate this issue.

Affected Version(s)

electron < 38.8.6 < 38.8.6

electron >= 39.0.0-alpha.1, < 39.8.1 < 39.0.0-alpha.1, 39.8.1

electron >= 40.0.0-alpha.1, < 40.8.1 < 40.0.0-alpha.1, 40.8.1

References

https://github.com/electron/electron/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 3, 2026
Vulnerability Reserved
Mar 30, 2026

CVE-2026-34777 Data

JSON