Synced 16 Jun 2026 15:24 UTC Account
← All products

CVE-2026-34773

MEDIUM severity · CVSS 4.7 · Improper input validation
4.7CVSS MEDIUM

Summary

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0, on Windows, app.setAsDefaultProtocolClient(protocol) did not validate the protocol name before writing to the registry. Apps that pass untrusted input as the protocol name may allow an attacker to write to arbitrary subkeys under HKCU\Software\Classes\, potentially hijacking existing protocol handlers. Apps are only affected if they call app.setAsDefaultProtocolClient() with a protocol name derived from external or untrusted input. Apps that use a hardcoded protocol name are not affected. This issue has been patched in versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0.

Impact & exploitability

Attack vectorLocal
Attack complexityHigh
Privileges requiredLow
User interactionNone
Confidentiality impactNone
Integrity impactHigh
Availability impactNone
Exploit probability (EPSS)0%

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N

Affected products we track (1)

Electron

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

Additional information