Unquoted Search Path or Element Affecting electron package, versions <38.8.6>=39.0.0-alpha.1 <39.8.1>=40.0.0-alpha.2 <40.8.0>=41.0.0-alpha.1 <41.0.0-beta.8
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-ELECTRON-15876117
- published3 Apr 2026
- disclosed3 Apr 2026
- creditUnknown
Introduced: 3 Apr 2026
NewCVE-2026-34768 (opens in a new tab)How to fix?
Upgrade electron to version 38.8.6, 39.8.1, 40.8.0, 41.0.0-beta.8 or higher.
Overview
electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.
Affected versions of this package are vulnerable to Unquoted Search Path or Element in the app.setLoginItemSettings function on Windows when the executable path is written to the Run registry key without proper quoting. An attacker can execute arbitrary code at login by placing a malicious executable in an ancestor directory if the application is installed to a path containing spaces and the attacker has write access to that directory.
Note:
This is only exploitable if the application is installed in a non-standard location where ancestor directories are not protected against unauthorized writes.
Workaround
This vulnerability can be mitigated by installing the application to a path without spaces or to a location where all ancestor directories are protected against unauthorized writes.