Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.3, 40.8.3, and 41.0.3, apps that register custom protocol handlers via protocol.handle() / protocol.registerSchemesAsPrivileged() or modify response headers via webRequest.onHeadersReceived may be vulnerable to HTTP response header injection if attacker-controlled input is reflected into a response header name or value. An attacker who can influence a header value may be able to inject additional response headers, affecting cookies, content security policy, or cross-origin access controls. Apps that do not reflect external input into response headers are not affected. This issue has been patched in versions 38.8.6, 39.8.3, 40.8.3, and 41.0.3.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34767.json",
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-113",
"CWE-74"
]
}{
"cpe": "cpe:2.3:a:electronjs:electron:*:*:*:*:*:node.js:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "38.8.6"
},
{
"introduced": "39.0.0"
},
{
"fixed": "39.8.3"
},
{
"introduced": "40.0.0"
},
{
"fixed": "40.8.3"
},
{
"introduced": "41.0.0"
},
{
"fixed": "41.0.3"
}
],
"source": "CPE_RANGE"
}