CVE-2026-34778

medium Red Hat
CVSS v3 Base Score
5.9
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N
EPSS Score
0.0%
Exploitation probability in 30 days
Top 100% most likely to be exploited
Attack Characteristics
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Confidentiality
Low
Integrity
High
Availability
None
Published: April 3, 2026 (97 days ago)
Last Modified: April 3, 2026
Vendor: Red Hat
Source: REDHAT

Description

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0, a service worker running in a session could spoof reply messages on the internal IPC channel used by webContents.executeJavaScript() and related methods, causing the main-process promise to resolve with attacker-controlled data. Apps are only affected if they have service workers registered and use the result of webContents.executeJavaScript() (or webFrameMain.executeJavaScript()) in security-sensitive decisions. This issue has been patched in versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0.

CWE

CWE-290

Affected Products

Red Hat Build of Podman DesktopRed Hat Build of Podman Desktop - Tech Preview

References