CVE & CISA-KEV Catalog

CVE-2026-34765

MEDIUM
6.0
CVSS v3
NVD

Description

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, when a renderer calls window.open() with a target name, Electron did not correctly scope the named-window lookup to the opener's browsing context group. A renderer could navigate an existing child window that was opened by a different, unrelated renderer if both used the same target name. If that existing child was created with more permissive webPreferences (via setWindowOpenHandler's overrideBrowserWindowOptions), content loaded by the second renderer inherits those permissions. Apps are only affected if they open multiple top-level windows with differing trust levels and use setWindowOpenHandler to grant child windows elevated webPreferences such as a privileged preload script. Apps that do not elevate child window privileges, or that use a single top-level window, are not affected. Apps that additionally grant nodeIntegration: true or sandbox: false to child windows (contrary to the security recommendations) may be exposed to arbitrary code execution. This vulnerability is fixed in 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5.

How to fix

Remediation Available
electronNVD
Affected:>= 41.0.0, < 41.1.0Fixed in:41.1.0CVE-2026-34765derived from NVD

Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.

CVSS v3 Vector

Exploitability

Attack VectorNetwork
Attack ComplexityHigh
Privileges RequiredLow
User InteractionNone
ScopeChanged

Impact

ConfidentialityLow
IntegrityLow
AvailabilityLow

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L

Exploit Intelligence

0.30%probability of exploitation in 30 days
22ndpercentile

Low risk: more likely to be exploited than 22% of all known CVEs.

References

Vendor Advisory1
Embed a live status badge for CVE-2026-34765
CVE-2026-34765 severity badge

Markdown

[![CVE-2026-34765](https://tridentstack.com/cve/badge/CVE-2026-34765.svg)](https://tridentstack.com/cve/CVE-2026-34765)

HTML

<a href="https://tridentstack.com/cve/CVE-2026-34765"><img src="https://tridentstack.com/cve/badge/CVE-2026-34765.svg" alt="CVE-2026-34765"></a>

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2026-04-20.