Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Affecting electron package, versions <38.8.6>=39.0.0-alpha.1 <39.8.1>=40.0.0-alpha.2 <40.8.1>=41.0.0-alpha.1 <41.0.0
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-JS-ELECTRON-15876714
- published3 Apr 2026
- disclosed3 Apr 2026
- creditUnknown
Introduced: 3 Apr 2026
NewCVE-2026-34773 (opens in a new tab)How to fix?
Upgrade electron to version 38.8.6, 39.8.1, 40.8.1, 41.0.0 or higher.
Overview
electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.
Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in the app.setAsDefaultProtocolClient function. An attacker can gain the ability to write to arbitrary registry subkeys by supplying a crafted protocol name derived from untrusted input. This may allow hijacking of existing protocol handlers.
Note:
This is only exploitable if the protocol name passed to app.setAsDefaultProtocolClient is not hardcoded and is instead derived from external or untrusted sources.
Workaround
This vulnerability can be mitigated by validating the protocol name matches the regular expression /^[a-zA-Z][a-zA-Z0-9+.-]*$/ before passing it to app.setAsDefaultProtocolClient().