CVE-2026-34766

{"id": "CVE-2026-34766", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.3, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 0.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.8}]}, "published": "2026-04-04T00:16:17.140", "references": [{"url": "https://github.com/electron/electron/security/advisories/GHSA-9899-m83m-qhpj", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8, the select-usb-device event callback did not validate the chosen device ID against the filtered list that was presented to the handler. An app whose handler could be influenced to select a device ID outside the filtered set would grant access to a device that did not match the renderer's requested filters or was listed in exclusionFilters. The WebUSB security blocklist remained enforced regardless, so security-sensitive devices on the blocklist were not affected. The practical impact is limited to apps with unusual device-selection logic. This issue has been patched in versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8."}], "lastModified": "2026-04-09T16:23:12.870", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:electronjs:electron:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "9CE003A2-03CC-4355-AA17-2CBD204EC6C3", "versionEndExcluding": "38.8.6"}, {"criteria": "cpe:2.3:a:electronjs:electron:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "642CA6B2-000A-480D-B062-80593D150787", "versionEndExcluding": "39.8.0", "versionStartIncluding": "39.0.0"}, {"criteria": "cpe:2.3:a:electronjs:electron:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "E54036E0-1D1F-4265-A2F3-B9C1F88F65ED", "versionEndExcluding": "40.7.0", "versionStartIncluding": "40.0.0"}, {"criteria": "cpe:2.3:a:electronjs:electron:41.0.0:alpha1:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "A20225D6-F435-4D09-962D-B162F521B6AD"}, {"criteria": "cpe:2.3:a:electronjs:electron:41.0.0:alpha2:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "33712802-EB60-4E9A-83B8-9F2320B70CB4"}, {"criteria": "cpe:2.3:a:electronjs:electron:41.0.0:alpha3:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "9D0A9142-54FE-47BB-9FEB-5E97528E28FE"}, {"criteria": "cpe:2.3:a:electronjs:electron:41.0.0:alpha4:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "9E1D191F-DEAE-4DB3-9822-F31AF9FE3BAC"}, {"criteria": "cpe:2.3:a:electronjs:electron:41.0.0:alpha5:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "45A8192F-3D2C-4987-9BBE-7ECC3F71965D"}, {"criteria": "cpe:2.3:a:electronjs:electron:41.0.0:alpha6:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "EEA1A2E5-03DB-46CB-8427-7F31A8A7CE1C"}, {"criteria": "cpe:2.3:a:electronjs:electron:41.0.0:beta1:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "B2DFCE75-BD3F-4537-B5B8-14097E262EA2"}, {"criteria": "cpe:2.3:a:electronjs:electron:41.0.0:beta2:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "BC346E25-EA43-4615-8CDB-16D15D46E4FF"}, {"criteria": "cpe:2.3:a:electronjs:electron:41.0.0:beta3:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "FA5B3C00-CAFC-4995-BF35-9920F3039E77"}, {"criteria": "cpe:2.3:a:electronjs:electron:41.0.0:beta4:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "3672F3FB-6B5E-40FD-8A92-CB4DD6BC6A93"}, {"criteria": "cpe:2.3:a:electronjs:electron:41.0.0:beta5:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "9EE4F8AE-21D2-4815-85B7-B7ECCC0D5059"}, {"criteria": "cpe:2.3:a:electronjs:electron:41.0.0:beta6:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "D195760C-7DD9-4259-9042-EDE65AEAC1D6"}, {"criteria": "cpe:2.3:a:electronjs:electron:41.0.0:beta7:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "B370859F-24D3-4B25-B580-1A5B6DB94BFE"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}