CVE-2026-34768

HIGH EPSS 3.0%
Published Apr 4, 20262mo ago · Modified Jun 17, 20261w ago
7.8 CVSS 3.1
High
Find Similar
Published Apr 4, 2026 2mo ago
Last Modified Jun 17, 2026 1w ago

Description

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8, on Windows, app.setLoginItemSettings({openAtLogin: true}) wrote the executable path to the Run registry key without quoting. If the app is installed to a path containing spaces, an attacker with write access to an ancestor directory may be able to cause a different executable to run at login instead of the intended app. On a default Windows install, standard system directories are protected against writes by standard users, so exploitation typically requires a non-standard install location. This issue has been patched in versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8.

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
3.0% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-428

Affected Products 16

VendorProductVersionRange
electronjselectron* <38.8.6
electronjselectron*≥39.0.0  –  <39.8.1
electronjselectron*≥40.0.0  –  <40.8.0
electronjselectron41.0.0any
electronjselectron41.0.0any
electronjselectron41.0.0any
electronjselectron41.0.0any
electronjselectron41.0.0any
electronjselectron41.0.0any
electronjselectron41.0.0any
electronjselectron41.0.0any
electronjselectron41.0.0any
electronjselectron41.0.0any
electronjselectron41.0.0any
electronjselectron41.0.0any
electronjselectron41.0.0any

References 1

  • github.com https://github.com/electron/electron/security/advisories/GHSA-jfqx-fxh3-c62j
    Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.