CVE-2026-34780: Electron: Context Isolation bypass via contextBridge VideoFrame transfer

April 3, 2026 (updated April 6, 2026)

Apps that pass VideoFrame objects (from the WebCodecs API) across the contextBridge are vulnerable to a context isolation bypass. An attacker who can execute JavaScript in the main world (for example, via XSS) can use a bridged VideoFrame to gain access to the isolated world, including any Node.js APIs exposed to the preload script.

Apps are only affected if a preload script returns, resolves, or passes a VideoFrame object to the main world via contextBridge.exposeInMainWorld(). Apps that do not bridge VideoFrame objects are not affected.

References

github.com/advisories/GHSA-jfqg-hf23-qpw2
github.com/electron/electron
github.com/electron/electron/security/advisories/GHSA-jfqg-hf23-qpw2
nvd.nist.gov/vuln/detail/CVE-2026-34780

Code Behaviors & Features

Detect and mitigate CVE-2026-34780 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →