CVE-2026-34780

high Red Hat
CVSS v3 Base Score
8.0
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS Score
0.0%
Exploitation probability in 30 days
Top 98% most likely to be exploited
Attack Characteristics
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Confidentiality
High
Integrity
High
Availability
High
Published: April 4, 2026 (97 days ago)
Last Modified: April 4, 2026
Vendor: Red Hat
Source: REDHAT

Description

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. From versions 39.0.0-alpha.1 to before 39.8.0, 40.0.0-alpha.1 to before 40.7.0, and 41.0.0-alpha.1 to before 41.0.0-beta.8, apps that pass VideoFrame objects (from the WebCodecs API) across the contextBridge are vulnerable to a context isolation bypass. An attacker who can execute JavaScript in the main world (for example, via XSS) can use a bridged VideoFrame to gain access to the isolated world, including any Node.js APIs exposed to the preload script. Apps are only affected if a preload script returns, resolves, or passes a VideoFrame object to the main world via contextBridge.exposeInMainWorld(). Apps that do not bridge VideoFrame objects are not affected. This issue has been patched in versions 39.8.0, 40.7.0, and 41.0.0-beta.8.

CWE

CWE-501

Affected Products

Red Hat Build of Podman DesktopRed Hat Build of Podman Desktop - Tech Preview

References