Nixpkgs security tracker

Login with GitHub

Suggestion detail

Untriaged
Permalink CVE-2026-34768
3.9 LOW
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 1 week, 6 days ago
Electron: Unquoted executable path in app.setLoginItemSettings on Windows

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8, on Windows, app.setLoginItemSettings({openAtLogin: true}) wrote the executable path to the Run registry key without quoting. If the app is installed to a path containing spaces, an attacker with write access to an ancestor directory may be able to cause a different executable to run at login instead of the intended app. On a default Windows install, standard system directories are protected against writes by standard users, so exploitation typically requires a non-standard install location. This issue has been patched in versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8.

Affected products

electron
  • ==< 38.8.6
  • ==>= 41.0.0-alpha.1, < 41.0.0-beta.8
  • ==>= 39.0.0-alpha.1, < 39.8.1
  • ==>= 40.0.0-alpha.1, < 40.8.0

Matching in nixpkgs

pkgs.electron_36

Cross platform desktop application shell

pkgs.gfn-electron

Linux Desktop client for Nvidia's GeForce NOW game streaming service

pkgs.electron-mail

ElectronMail is an Electron-based unofficial desktop client for ProtonMail