CVE-2026-34780

HIGH
2026-04-03 https://github.com/electron/electron GHSA-jfqg-hf23-qpw2
8.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch Released
Apr 03, 2026 - 08:30 nvd
Patch available
Analysis Generated
Apr 03, 2026 - 03:00 vuln.today
CVE Published
Apr 03, 2026 - 02:46 nvd
HIGH 8.3

Tags

Node.js Information Disclosure XSS

Description

### Impact Apps that pass `VideoFrame` objects (from the WebCodecs API) across the `contextBridge` are vulnerable to a context isolation bypass. An attacker who can execute JavaScript in the main world (for example, via XSS) can use a bridged `VideoFrame` to gain access to the isolated world, including any Node.js APIs exposed to the preload script. Apps are only affected if a preload script returns, resolves, or passes a `VideoFrame` object to the main world via `contextBridge.exposeInMainWorld()`. Apps that do not bridge `VideoFrame` objects are not affected. ### Workarounds Do not pass `VideoFrame` objects across `contextBridge`. If an app needs to transfer video frame data, serialize it to an `ArrayBuffer` or `ImageBitmap` before bridging. ### Fixed Versions * `41.0.0-beta.8` * `40.7.0` * `39.8.0` ### For more information If there are any questions or comments about this advisory, please email [[email protected]](mailto:[email protected])

Analysis

Context isolation bypass in Electron applications enables privilege escalation when VideoFrame objects are bridged to the main world. Attackers with XSS capabilities can leverage improperly bridged WebCodecs API VideoFrame objects to escape the isolated context and access Node.js APIs exposed in preload scripts. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 24 hours: Identify all Electron applications in production using WebCodecs API VideoFrame bridging to main world context; document current Electron versions deployed. Within 7 days: Implement input validation and XSS prevention controls (Content Security Policy, input sanitization) for all affected applications; restrict VideoFrame object exposure to isolated contexts only; review preload script permissions and remove unnecessary Node.js API exposure. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

42
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +42
POC: 0

Share

CVE-2026-34780 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy