Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.9
Electron: Malicious Service Worker Can Inject Fake Data
GHSA-xj5x-m3f3-5x3h
CVE-2026-34778
Summary
A malicious service worker can trick Electron apps into accepting fake data by manipulating the results of executeJavaScript(). To fix this, developers should not rely on executeJavaScript() for security decisions and use secure channels for communication between the main process and renderers.
What to do
- Update electron to version 38.8.6.
- Update electron to version 39.8.1.
- Update electron to version 40.8.1.
- Update electron to version 41.0.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | electron | <= 38.8.6 | 38.8.6 |
| – | electron | > 39.0.0-alpha.1 , <= 39.8.1 | 39.8.1 |
| – | electron | > 40.0.0-alpha.1 , <= 40.8.1 | 40.8.1 |
| – | electron | > 41.0.0-alpha.1 , <= 41.0.0 | 41.0.0 |
Original title
Electron: Service worker can spoof executeJavaScript IPC replies
Original description
### Impact
A service worker running in a session could spoof reply messages on the internal IPC channel used by `webContents.executeJavaScript()` and related methods, causing the main-process promise to resolve with attacker-controlled data.
Apps are only affected if they have service workers registered and use the result of `webContents.executeJavaScript()` (or `webFrameMain.executeJavaScript()`) in security-sensitive decisions.
### Workarounds
Do not trust the return value of `webContents.executeJavaScript()` for security decisions. Use dedicated, validated IPC channels for security-relevant communication with renderers.
### Fixed Versions
* `41.0.0`
* `40.8.1`
* `39.8.1`
* `38.8.6`
### For more information
If there are any questions or comments about this advisory, please email [[email protected]](mailto:[email protected])
A service worker running in a session could spoof reply messages on the internal IPC channel used by `webContents.executeJavaScript()` and related methods, causing the main-process promise to resolve with attacker-controlled data.
Apps are only affected if they have service workers registered and use the result of `webContents.executeJavaScript()` (or `webFrameMain.executeJavaScript()`) in security-sensitive decisions.
### Workarounds
Do not trust the return value of `webContents.executeJavaScript()` for security decisions. Use dedicated, validated IPC channels for security-relevant communication with renderers.
### Fixed Versions
* `41.0.0`
* `40.8.1`
* `39.8.1`
* `38.8.6`
### For more information
If there are any questions or comments about this advisory, please email [[email protected]](mailto:[email protected])
ghsa CVSS3.1
5.9
Vulnerability type
CWE-290
CWE-345
Published: 3 Apr 2026 · Updated: 3 Apr 2026 · First seen: 3 Apr 2026