GHSA-f3pv-wv63-48x8

Source

https://github.com/advisories/GHSA-f3pv-wv63-48x8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-f3pv-wv63-48x8/GHSA-f3pv-wv63-48x8.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-f3pv-wv63-48x8

Aliases

CVE-2026-34765

Published

2026-04-07T15:52:25Z

Modified

2026-04-08T12:08:27.365316Z

Severity

6.0 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L CVSS Calculator

Summary

Electron: Named window.open targets not scoped to the opener's browsing context

Details

Impact

When a renderer calls window.open() with a target name, Electron did not correctly scope the named-window lookup to the opener's browsing context group. A renderer could navigate an existing child window that was opened by a different, unrelated renderer if both used the same target name. If that existing child was created with more permissive webPreferences (via setWindowOpenHandler's overrideBrowserWindowOptions), content loaded by the second renderer inherits those permissions.

Apps are only affected if they open multiple top-level windows with differing trust levels and use setWindowOpenHandler to grant child windows elevated webPreferences such as a privileged preload script. Apps that do not elevate child window privileges, or that use a single top-level window, are not affected.

Apps that additionally grant nodeIntegration: true or sandbox: false to child windows (contrary to the security recommendations) may be exposed to arbitrary code execution.

Workarounds

Deny window.open() in renderers that load untrusted content by returning { action: 'deny' } from setWindowOpenHandler. Avoid granting child windows more permissive webPreferences than their opener.

Fixed Versions

42.0.0-alpha.5
41.1.0
40.8.5
39.8.5

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-07T15:52:25Z",
    "cwe_ids": [
        "CWE-668"
    ],
    "severity": "MODERATE",
    "nvd_published_at": "2026-04-07T22:16:22Z"
}

References

Affected packages

npm / electron

Package

Name: electron; View open source insights on deps.dev
Purl: pkg:npm/electron

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

39.8.5

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-f3pv-wv63-48x8/GHSA-f3pv-wv63-48x8.json"

npm / electron

Package

Name: electron; View open source insights on deps.dev
Purl: pkg:npm/electron

Affected ranges

Type: SEMVER
Events: Introduced

40.0.0-alpha.1

Fixed

40.8.5

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-f3pv-wv63-48x8/GHSA-f3pv-wv63-48x8.json"

npm / electron

Package

Name: electron; View open source insights on deps.dev
Purl: pkg:npm/electron

Affected ranges

Type: SEMVER
Events: Introduced

41.0.0-alpha.1

Fixed

41.1.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-f3pv-wv63-48x8/GHSA-f3pv-wv63-48x8.json"

npm / electron

Package

Name: electron; View open source insights on deps.dev
Purl: pkg:npm/electron

Affected ranges

Type: SEMVER
Events: Introduced

42.0.0-alpha.1

Fixed

42.0.0-alpha.5

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-f3pv-wv63-48x8/GHSA-f3pv-wv63-48x8.json"