{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34768", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T19:54:55.555Z", "datePublished": "2026-04-03T23:44:55.776Z", "dateUpdated": "2026-04-06T19:08:58.533Z"}, "containers": {"cna": {"title": "Electron: Unquoted executable path in app.setLoginItemSettings on Windows", "problemTypes": [{"descriptions": [{"cweId": "CWE-428", "lang": "en", "description": "CWE-428: Unquoted Search Path or Element", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 3.9, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/electron/electron/security/advisories/GHSA-jfqx-fxh3-c62j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/electron/electron/security/advisories/GHSA-jfqx-fxh3-c62j"}], "affected": [{"vendor": "electron", "product": "electron", "versions": [{"version": "< 38.8.6", "status": "affected"}, {"version": ">= 39.0.0-alpha.1, < 39.8.1", "status": "affected"}, {"version": ">= 40.0.0-alpha.1, < 40.8.0", "status": "affected"}, {"version": ">= 41.0.0-alpha.1, < 41.0.0-beta.8", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T23:44:55.776Z"}, "descriptions": [{"lang": "en", "value": "Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8, on Windows, app.setLoginItemSettings({openAtLogin: true}) wrote the executable path to the Run registry key without quoting. If the app is installed to a path containing spaces, an attacker with write access to an ancestor directory may be able to cause a different executable to run at login instead of the intended app. On a default Windows install, standard system directories are protected against writes by standard users, so exploitation typically requires a non-standard install location. This issue has been patched in versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8."}], "source": {"advisory": "GHSA-jfqx-fxh3-c62j", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T19:08:45.331606Z", "id": "CVE-2026-34768", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T19:08:58.533Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34768", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-06T19:08:45.331606Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T19:08:53.839Z"}}], "cna": {"title": "Electron: Unquoted executable path in app.setLoginItemSettings on Windows", "source": {"advisory": "GHSA-jfqx-fxh3-c62j", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.9, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "electron", "product": "electron", "versions": [{"status": "affected", "version": "< 38.8.6"}, {"status": "affected", "version": ">= 39.0.0-alpha.1, < 39.8.1"}, {"status": "affected", "version": ">= 40.0.0-alpha.1, < 40.8.0"}, {"status": "affected", "version": ">= 41.0.0-alpha.1, < 41.0.0-beta.8"}]}], "references": [{"url": "https://github.com/electron/electron/security/advisories/GHSA-jfqx-fxh3-c62j", "name": "https://github.com/electron/electron/security/advisories/GHSA-jfqx-fxh3-c62j", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8, on Windows, app.setLoginItemSettings({openAtLogin: true}) wrote the executable path to the Run registry key without quoting. If the app is installed to a path containing spaces, an attacker with write access to an ancestor directory may be able to cause a different executable to run at login instead of the intended app. On a default Windows install, standard system directories are protected against writes by standard users, so exploitation typically requires a non-standard install location. This issue has been patched in versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-428", "description": "CWE-428: Unquoted Search Path or Element"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T23:44:55.776Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34768", "state": "PUBLISHED", "dateUpdated": "2026-04-06T19:08:58.533Z", "dateReserved": "2026-03-30T19:54:55.555Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-03T23:44:55.776Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:electronjs:electron:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "9CE003A2-03CC-4355-AA17-2CBD204EC6C3", "versionEndExcluding": "38.8.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:electronjs:electron:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "8F28D187-306E-4C9D-ADED-56DD79B04AF3", "versionEndExcluding": "39.8.1", "versionStartIncluding": "39.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:electronjs:electron:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "450879B0-EFE3-43AE-BE1F-2456A9C74AA7", "versionEndExcluding": "40.8.0", "versionStartIncluding": "40.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:electronjs:electron:41.0.0:alpha1:*:*:*:node.js:*:*", "matchCriteriaId": "A20225D6-F435-4D09-962D-B162F521B6AD", "vulnerable": true}, {"criteria": "cpe:2.3:a:electronjs:electron:41.0.0:alpha2:*:*:*:node.js:*:*", "matchCriteriaId": "33712802-EB60-4E9A-83B8-9F2320B70CB4", "vulnerable": true}, {"criteria": "cpe:2.3:a:electronjs:electron:41.0.0:alpha3:*:*:*:node.js:*:*", "matchCriteriaId": "9D0A9142-54FE-47BB-9FEB-5E97528E28FE", "vulnerable": true}, {"criteria": "cpe:2.3:a:electronjs:electron:41.0.0:alpha4:*:*:*:node.js:*:*", "matchCriteriaId": "9E1D191F-DEAE-4DB3-9822-F31AF9FE3BAC", "vulnerable": true}, {"criteria": "cpe:2.3:a:electronjs:electron:41.0.0:alpha5:*:*:*:node.js:*:*", "matchCriteriaId": "45A8192F-3D2C-4987-9BBE-7ECC3F71965D", "vulnerable": true}, {"criteria": "cpe:2.3:a:electronjs:electron:41.0.0:alpha6:*:*:*:node.js:*:*", "matchCriteriaId": "EEA1A2E5-03DB-46CB-8427-7F31A8A7CE1C", "vulnerable": true}, {"criteria": "cpe:2.3:a:electronjs:electron:41.0.0:beta1:*:*:*:node.js:*:*", "matchCriteriaId": "B2DFCE75-BD3F-4537-B5B8-14097E262EA2", "vulnerable": true}, {"criteria": "cpe:2.3:a:electronjs:electron:41.0.0:beta2:*:*:*:node.js:*:*", "matchCriteriaId": "BC346E25-EA43-4615-8CDB-16D15D46E4FF", "vulnerable": true}, {"criteria": "cpe:2.3:a:electronjs:electron:41.0.0:beta3:*:*:*:node.js:*:*", "matchCriteriaId": "FA5B3C00-CAFC-4995-BF35-9920F3039E77", "vulnerable": true}, {"criteria": "cpe:2.3:a:electronjs:electron:41.0.0:beta4:*:*:*:node.js:*:*", "matchCriteriaId": "3672F3FB-6B5E-40FD-8A92-CB4DD6BC6A93", "vulnerable": true}, {"criteria": "cpe:2.3:a:electronjs:electron:41.0.0:beta5:*:*:*:node.js:*:*", "matchCriteriaId": "9EE4F8AE-21D2-4815-85B7-B7ECCC0D5059", "vulnerable": true}, {"criteria": "cpe:2.3:a:electronjs:electron:41.0.0:beta6:*:*:*:node.js:*:*", "matchCriteriaId": "D195760C-7DD9-4259-9042-EDE65AEAC1D6", "vulnerable": true}, {"criteria": "cpe:2.3:a:electronjs:electron:41.0.0:beta7:*:*:*:node.js:*:*", "matchCriteriaId": "B370859F-24D3-4B25-B580-1A5B6DB94BFE", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8, on Windows, app.setLoginItemSettings({openAtLogin: true}) wrote the executable path to the Run registry key without quoting. If the app is installed to a path containing spaces, an attacker with write access to an ancestor directory may be able to cause a different executable to run at login instead of the intended app. On a default Windows install, standard system directories are protected against writes by standard users, so exploitation typically requires a non-standard install location. This issue has been patched in versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8."}], "id": "CVE-2026-34768", "lastModified": "2026-04-09T16:10:39.150", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 3.9, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-04T00:16:17.500", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/electron/electron/security/advisories/GHSA-jfqx-fxh3-c62j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-428"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "electron: Electron: Arbitrary code execution via unquoted path in Run registry key", "id": "2454996", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454996"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.9", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L", "status": "draft"}, "cwe": "CWE-428", "details": ["Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8, on Windows, app.setLoginItemSettings({openAtLogin: true}) wrote the executable path to the Run registry key without quoting. If the app is installed to a path containing spaces, an attacker with write access to an ancestor directory may be able to cause a different executable to run at login instead of the intended app. On a default Windows install, standard system directories are protected against writes by standard users, so exploitation typically requires a non-standard install location. This issue has been patched in versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8.", "A flaw was found in Electron. On Windows, when an application is installed to a path containing spaces and configured to open at login, the executable path is written to the system's Run registry key without proper quoting. An attacker with write access to an ancestor directory can exploit this to cause a different, malicious executable to run at login instead of the intended application, potentially leading to arbitrary code execution. Exploitation typically requires a non-standard installation location."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-34768", "package_state": [{"cpe": "cpe:/a:redhat:podman_desktop:1", "fix_state": "Not affected", "package_name": "podman-desktop-macos-1-0", "product_name": "Red Hat Build of Podman Desktop"}, {"cpe": "cpe:/a:redhat:podman_desktop:1", "fix_state": "Not affected", "package_name": "podman-desktop-windows-1-0", "product_name": "Red Hat Build of Podman Desktop"}, {"cpe": "cpe:/a:redhat:podman_desktop:0", "fix_state": "Not affected", "package_name": "rhdesktop/rh-podman-desktop-ext-openshift-local-rhel10", "product_name": "Red Hat Build of Podman Desktop - Tech Preview"}], "public_date": "2026-04-03T23:44:55Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-34768\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-34768\nhttps://github.com/electron/electron/security/advisories/GHSA-jfqx-fxh3-c62j"], "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,38.8.6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[39.0.0-alpha.1,39.8.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[40.0.0-alpha.1,40.8.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[41.0.0-alpha.1,41.0.0-beta.8)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "electron", "source": "cna", "vendor": "electron"}, "product": "electron", "vendor": "electron"}], "analysis": {"en": {"generated_at": "2026-04-04T02:23:42.759690+00:00", "value": {"mitigation_remediation": ["Upgrade Electron to a patched release (38.8.6, 39.8.1, 40.8.0, or 41.0.0\u2011beta.8 or later).", "Reinstall the application in a directory path that contains no spaces or that the user cannot modify."], "summary": {"action": "Patch", "impact": "Execution of arbitrary code at system startup"}, "threat_synthesis": {"affected_systems": "The flaw is present in Electron framework versions older than 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8 when operating on Windows. Applications that rely on this API to enable launch at login and install to paths with spaces are affected.", "description_and_impact": "Electron applications on Windows that use app.setLoginItemSettings({openAtLogin: true}) may write the executable path to the Run registry key without quoting. If the installation directory contains spaces and an attacker can write to a parent directory, they can replace the intended path with a malicious executable that runs when the user logs in. This permits arbitrary code execution under the user\u2019s account during startup, potentially enabling persistence, credential theft, or other malicious activity.", "risk_and_exploitability": "The CVSS score is 3.9, reflecting low severity. EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires write access to a directory above the application\u2019s install location, which usually implies non\u2011standard installation or elevated privileges. Consequently the risk is moderate and highly dependent on the deployment environment."}}}}, "created": "2026-04-06T21:21:41.482583+00:00", "updated": "2026-04-06T22:21:19.260961+00:00", "vendors": ["electron", "electron$PRODUCT$electron"]}