CVE-2026-34767

// Conceptual vulnerable code pattern in Electron // const { protocol } = require('electron'); // // protocol.handle('custom', (req) => { // const url = new URL(req.url); // let userInput = url.searchParams.get('data'); // // // VULNERABILITY: Directly reflecting user input into a response header // return new Response('Hello', { // headers: { // 'X-User-Input': userInput // } // }); // }); // Exploit Payload (Attacker controlled input) // Input: "attacker_value\r\nX-Injected-Header: pwned\r\nSet-Cookie: malicious=true" // // Resulting Headers: // X-User-Input: attacker_value // X-Injected-Header: pwned // Set-Cookie: malicious=true

{"cve": {"id": "CVE-2026-34767", "sourceIdentifier": "[email protected]", "published": "2026-04-04T00:16:17.337", "lastModified": "2026-04-09T16:16:48.503", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.3, 40.8.3, and 41.0.3, apps that register custom protocol handlers via protocol.handle() / protocol.registerSchemesAsPrivileged() or modify response headers via webRequest.onHeadersReceived may be vulnerable to HTTP response header injection if attacker-controlled input is reflected into a response header name or value. An attacker who can influence a header value may be able to inject additional response headers, affecting cookies, content security policy, or cross-origin access controls. Apps that do not reflect external input into response headers are not affected. This issue has been patched in versions 38.8.6, 39.8.3, 40.8.3, and 41.0.3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 4.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-113"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:electronjs:electron:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "38.8.6", "matchCriteriaId": "9CE003A2-03CC-4355-AA17-2CBD204EC6C3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:electronjs:electron:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "39.0.0", "versionEndExcluding": "39.8.3", "matchCriteriaId": "28639571-DE42-4046-BDB6-A7F753D47255"}, {"vulnerable": true, "criteria": "cpe:2.3:a:electronjs:electron:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "40.0.0", "versionEndExcluding": "40.8.3", "matchCriteriaId": "1595685F-2DCF-4816-A61F-C70EA6983F11"}, {"vulnerable": true, "criteria": "cpe:2.3:a:electronjs:electron:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "41.0.0", "versionEndExcluding": "41.0.3", "matchCriteriaId": "495575BF-D738-4BD5-B248-171B2FEFE44A"}]}]}], "references": [{"url": "https://github.com/electron/electron/security/advisories/GHSA-4p4r-m79c-wq3v", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}