CVE-2026-34780 - Vulnerability Analysis
HighCVSS: 8.3Last Updated: April 4, 2026
Electron - Context Isolation Bypass
Published: April 4, 2026Updated: April 4, 2026Remote Exploitable
Overview
Electron 39.0.0-alpha.1 to < 39.8.0, 40.0.0-alpha.1 to < 40.7.0, and 41.0.0-alpha.1 to < 41.0.0-beta.8 contain a context isolation bypass caused by passing VideoFrame objects across contextBridge, letting attackers with main world JavaScript execution access isolated world and Node.js APIs, exploit requires preload script to expose VideoFrame via contextBridge.
Severity & Score
Severity: High
CVSS Score: 8.3
Impact
Attackers with main world JavaScript execution can bypass context isolation and access Node.js APIs, potentially leading to full system compromise.
Mitigation
Update to versions 39.8.0, 40.7.0, or 41.0.0-beta.8 or later.
Related Resources
Details
- CVE ID
- CVE-2026-34780
- Severity
- High
- CVSS Score
- 8.3
- Type
- broken_access_control
- Status
- new
CWE
- CWE-668
CVSS Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H