{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34780", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T19:54:55.556Z", "datePublished": "2026-04-04T00:02:02.224Z", "dateUpdated": "2026-04-08T03:55:42.004Z"}, "containers": {"cna": {"title": "Electron: Context Isolation bypass via contextBridge VideoFrame transfer", "problemTypes": [{"descriptions": [{"cweId": "CWE-668", "lang": "en", "description": "CWE-668: Exposure of Resource to Wrong Sphere", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-1188", "lang": "en", "description": "CWE-1188: Insecure Default Initialization of Resource", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/electron/electron/security/advisories/GHSA-jfqg-hf23-qpw2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/electron/electron/security/advisories/GHSA-jfqg-hf23-qpw2"}], "affected": [{"vendor": "electron", "product": "electron", "versions": [{"version": ">= 39.0.0-alpha.1, < 39.8.0", "status": "affected"}, {"version": ">= 40.0.0-alpha.1, < 40.7.0", "status": "affected"}, {"version": ">= 41.0.0-alpha.1, < 41.0.0-beta.8", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-04T00:02:02.224Z"}, "descriptions": [{"lang": "en", "value": "Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. From versions 39.0.0-alpha.1 to before 39.8.0, 40.0.0-alpha.1 to before 40.7.0, and 41.0.0-alpha.1 to before 41.0.0-beta.8, apps that pass VideoFrame objects (from the WebCodecs API) across the contextBridge are vulnerable to a context isolation bypass. An attacker who can execute JavaScript in the main world (for example, via XSS) can use a bridged VideoFrame to gain access to the isolated world, including any Node.js APIs exposed to the preload script. Apps are only affected if a preload script returns, resolves, or passes a VideoFrame object to the main world via contextBridge.exposeInMainWorld(). Apps that do not bridge VideoFrame objects are not affected. This issue has been patched in versions 39.8.0, 40.7.0, and 41.0.0-beta.8."}], "source": {"advisory": "GHSA-jfqg-hf23-qpw2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-34780"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T03:55:42.004Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34780", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-06T15:49:13.726051Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T15:49:17.194Z"}}], "cna": {"title": "Electron: Context Isolation bypass via contextBridge VideoFrame transfer", "source": {"advisory": "GHSA-jfqg-hf23-qpw2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "electron", "product": "electron", "versions": [{"status": "affected", "version": ">= 39.0.0-alpha.1, < 39.8.0"}, {"status": "affected", "version": ">= 40.0.0-alpha.1, < 40.7.0"}, {"status": "affected", "version": ">= 41.0.0-alpha.1, < 41.0.0-beta.8"}]}], "references": [{"url": "https://github.com/electron/electron/security/advisories/GHSA-jfqg-hf23-qpw2", "name": "https://github.com/electron/electron/security/advisories/GHSA-jfqg-hf23-qpw2", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. From versions 39.0.0-alpha.1 to before 39.8.0, 40.0.0-alpha.1 to before 40.7.0, and 41.0.0-alpha.1 to before 41.0.0-beta.8, apps that pass VideoFrame objects (from the WebCodecs API) across the contextBridge are vulnerable to a context isolation bypass. An attacker who can execute JavaScript in the main world (for example, via XSS) can use a bridged VideoFrame to gain access to the isolated world, including any Node.js APIs exposed to the preload script. Apps are only affected if a preload script returns, resolves, or passes a VideoFrame object to the main world via contextBridge.exposeInMainWorld(). Apps that do not bridge VideoFrame objects are not affected. This issue has been patched in versions 39.8.0, 40.7.0, and 41.0.0-beta.8."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-668", "description": "CWE-668: Exposure of Resource to Wrong Sphere"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1188", "description": "CWE-1188: Insecure Default Initialization of Resource"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-04T00:02:02.224Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34780", "state": "PUBLISHED", "dateUpdated": "2026-04-08T03:55:42.004Z", "dateReserved": "2026-03-30T19:54:55.556Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-04T00:02:02.224Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. From versions 39.0.0-alpha.1 to before 39.8.0, 40.0.0-alpha.1 to before 40.7.0, and 41.0.0-alpha.1 to before 41.0.0-beta.8, apps that pass VideoFrame objects (from the WebCodecs API) across the contextBridge are vulnerable to a context isolation bypass. An attacker who can execute JavaScript in the main world (for example, via XSS) can use a bridged VideoFrame to gain access to the isolated world, including any Node.js APIs exposed to the preload script. Apps are only affected if a preload script returns, resolves, or passes a VideoFrame object to the main world via contextBridge.exposeInMainWorld(). Apps that do not bridge VideoFrame objects are not affected. This issue has been patched in versions 39.8.0, 40.7.0, and 41.0.0-beta.8."}], "id": "CVE-2026-34780", "lastModified": "2026-04-07T13:20:55.200", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-04T01:16:39.540", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/electron/electron/security/advisories/GHSA-jfqg-hf23-qpw2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-668"}, {"lang": "en", "value": "CWE-1188"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "electron: Electron: Context Isolation bypass via VideoFrame object transfer", "id": "2455020", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455020"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.0", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-501", "details": ["Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. From versions 39.0.0-alpha.1 to before 39.8.0, 40.0.0-alpha.1 to before 40.7.0, and 41.0.0-alpha.1 to before 41.0.0-beta.8, apps that pass VideoFrame objects (from the WebCodecs API) across the contextBridge are vulnerable to a context isolation bypass. An attacker who can execute JavaScript in the main world (for example, via XSS) can use a bridged VideoFrame to gain access to the isolated world, including any Node.js APIs exposed to the preload script. Apps are only affected if a preload script returns, resolves, or passes a VideoFrame object to the main world via contextBridge.exposeInMainWorld(). Apps that do not bridge VideoFrame objects are not affected. This issue has been patched in versions 39.8.0, 40.7.0, and 41.0.0-beta.8.", "A flaw was found in Electron, a framework for building cross-platform desktop applications. An attacker capable of executing JavaScript in the main world, for instance through a cross-site scripting (XSS) vulnerability, could exploit this flaw. By passing VideoFrame objects from the WebCodecs API across the contextBridge, the attacker could bypass context isolation. This allows them to gain unauthorized access to the isolated world, including Node.js APIs exposed to the preload script, potentially leading to arbitrary code execution within the application."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-34780", "package_state": [{"cpe": "cpe:/a:redhat:podman_desktop:1", "fix_state": "Affected", "package_name": "podman-desktop-macos-1-0", "product_name": "Red Hat Build of Podman Desktop"}, {"cpe": "cpe:/a:redhat:podman_desktop:1", "fix_state": "Affected", "package_name": "podman-desktop-windows-1-0", "product_name": "Red Hat Build of Podman Desktop"}, {"cpe": "cpe:/a:redhat:podman_desktop:0", "fix_state": "Affected", "package_name": "rhdesktop/rh-podman-desktop-ext-openshift-local-rhel10", "product_name": "Red Hat Build of Podman Desktop - Tech Preview"}], "public_date": "2026-04-04T00:02:02Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-34780\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-34780\nhttps://github.com/electron/electron/security/advisories/GHSA-jfqg-hf23-qpw2"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[39.0.0-alpha.1,39.8.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[40.0.0-alpha.1,40.7.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[41.0.0-alpha.1,41.0.0-beta.8)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "electron", "source": "cna", "vendor": "electron"}, "product": "electron", "vendor": "electron"}], "analysis": {"en": {"generated_at": "2026-04-07T02:13:00.201084+00:00", "value": {"mitigation_remediation": ["Upgrade Electron to 39.8.0 or newer, 40.7.0 or newer, or 41.0.0-beta.8 or newer.", "Avoid passing VideoFrame objects through contextBridge.exposeInMainWorld().", "Ensure preload scripts do not expose VideoFrames to the main world.", "Mitigate XSS vectors by validating and sanitizing user input and enforcing strict Content Security Policies."], "summary": {"action": "Immediate Patch", "impact": "Node.js API execution via context isolation bypass"}, "threat_synthesis": {"affected_systems": "The vendor is Electron, the framework for desktop applications built with web technologies. The vulnerability affects the Electron runtime itself in the listed version ranges. Any Electron application that exposes VideoFrame objects through contextBridge.exposeInMainWorld() is at risk; all versions prior to 39.8.0, before 40.7.0, and before 41.0.0-beta.8 remain vulnerable, while 39.8.0, 40.7.0, and 41.0.0-beta.8 or later contain the fix.", "description_and_impact": "Electron applications that embed WebCodecs VideoFrame objects in the renderer process are vulnerable in versions 39.0.0-alpha.1 through before 39.8.0, 40.0.0-alpha.1 through before 40.7.0, and 41.0.0-alpha.1 through before 41.0.0-beta.8. A flaw in the contextBridge implementation allows JavaScript execution in the main world to expose a bridged VideoFrame to the isolation boundary; the VideoFrame then leaks into the isolated world, giving the attacker direct access to Node.js APIs exposed by the preload script. This bypass enables execution of privileged code and compromises confidentiality and integrity of the application data.", "risk_and_exploitability": "The CVSS score of 8.4 reflects high severity due to the potential for arbitrary code execution. The EPSS score is below 1%, indicating exploitation is currently rare, and the vulnerability is not listed in the CISA KEV catalog. Attackers would first need to achieve JavaScript execution in the main world, commonly via XSS, and then use the context bridge to pass a VideoFrame, thereby gaining access to Node.js code in the isolated world."}}}}, "created": "2026-04-06T20:27:48.868343+00:00", "updated": "2026-04-07T07:16:22.581689+00:00", "vendors": ["electron", "electron$PRODUCT$electron"]}