GHSA-jfqx-fxh3-c62j

Source

https://github.com/advisories/GHSA-jfqx-fxh3-c62j

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-jfqx-fxh3-c62j/GHSA-jfqx-fxh3-c62j.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-jfqx-fxh3-c62j

Aliases

CVE-2026-34768

Published

2026-04-03T02:38:08Z

Modified

2026-04-03T02:47:29.475246Z

Severity

3.9 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L CVSS Calculator

Summary

Electron: Unquoted executable path in app.setLoginItemSettings on Windows

Details

Impact

On Windows, app.setLoginItemSettings({openAtLogin: true}) wrote the executable path to the Run registry key without quoting. If the app is installed to a path containing spaces, an attacker with write access to an ancestor directory may be able to cause a different executable to run at login instead of the intended app.

On a default Windows install, standard system directories are protected against writes by standard users, so exploitation typically requires a non-standard install location.

Workarounds

Install the application to a path without spaces, or to a location where all ancestor directories are protected against unauthorized writes.

Fixed Versions

41.0.0-beta.8
40.8.0
39.8.1
38.8.6

For more information

If there are any questions or comments about this advisory, send an email to security@electronjs.org

Database specific

{
    "cwe_ids": [
        "CWE-428"
    ],
    "github_reviewed": true,
    "nvd_published_at": null,
    "severity": "LOW",
    "github_reviewed_at": "2026-04-03T02:38:08Z"
}

References

Affected packages

npm / electron

Package

Name: electron; View open source insights on deps.dev
Purl: pkg:npm/electron

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

38.8.6

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-jfqx-fxh3-c62j/GHSA-jfqx-fxh3-c62j.json"

npm / electron

Package

Name: electron; View open source insights on deps.dev
Purl: pkg:npm/electron

Affected ranges

Type: SEMVER
Events: Introduced

39.0.0-alpha.1

Fixed

39.8.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-jfqx-fxh3-c62j/GHSA-jfqx-fxh3-c62j.json"

npm / electron

Package

Name: electron; View open source insights on deps.dev
Purl: pkg:npm/electron

Affected ranges

Type: SEMVER
Events: Introduced

40.0.0-alpha.1

Fixed

40.8.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-jfqx-fxh3-c62j/GHSA-jfqx-fxh3-c62j.json"

npm / electron

Package

Name: electron; View open source insights on deps.dev
Purl: pkg:npm/electron

Affected ranges

Type: SEMVER
Events: Introduced

41.0.0-alpha.1

Fixed

41.0.0-beta.8

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-jfqx-fxh3-c62j/GHSA-jfqx-fxh3-c62j.json"