[deps] Platform: Update electron to v39.8.5 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
electron	39.2.6 → 39.8.5

GitHub Vulnerability Alerts

CVE-2026-34766

Impact

The select-usb-device event callback did not validate the chosen device ID against the filtered list that was presented to the handler. An app whose handler could be influenced to select a device ID outside the filtered set would grant access to a device that did not match the renderer's requested filters or was listed in exclusionFilters.

The WebUSB security blocklist remained enforced regardless, so security-sensitive devices on the blocklist were not affected. The practical impact is limited to apps with unusual device-selection logic.

Workarounds

There are no app side workarounds, you must update to a patched version of Electron.

Fixed Versions

• 41.0.0-beta.8
• 40.7.0
• 39.8.0
• 38.8.6

For more information

If there are any questions or comments about this advisory, send an email to security@electronjs.org

CVE-2026-34767

Impact

Apps that register custom protocol handlers via protocol.handle() / protocol.registerSchemesAsPrivileged() or modify response headers via webRequest.onHeadersReceived may be vulnerable to HTTP response header injection if attacker-controlled input is reflected into a response header name or value.

An attacker who can influence a header value may be able to inject additional response headers, affecting cookies, content security policy, or cross-origin access controls.

Apps that do not reflect external input into response headers are not affected.

Workarounds

Validate or sanitize any untrusted input before including it in a response header name or value.

Fixed Versions

• 41.0.3
• 40.8.3
• 39.8.3
• 38.8.6

For more information

If there are any questions or comments about this advisory, send an email to security@electronjs.org

CVE-2026-34768

Impact

On Windows, app.setLoginItemSettings({openAtLogin: true}) wrote the executable path to the Run registry key without quoting. If the app is installed to a path containing spaces, an attacker with write access to an ancestor directory may be able to cause a different executable to run at login instead of the intended app.

On a default Windows install, standard system directories are protected against writes by standard users, so exploitation typically requires a non-standard install location.

Workarounds

Install the application to a path without spaces, or to a location where all ancestor directories are protected against unauthorized writes.

Fixed Versions

• 41.0.0-beta.8
• 40.8.0
• 39.8.1
• 38.8.6

For more information

If there are any questions or comments about this advisory, send an email to security@electronjs.org

CVE-2026-34769

Impact

An undocumented commandLineSwitches webPreference allowed arbitrary switches to be appended to the renderer process command line. Apps that construct webPreferences by spreading untrusted configuration objects may inadvertently allow an attacker to inject switches that disable renderer sandboxing or web security controls.

Apps are only affected if they construct webPreferences from external or untrusted input without an allowlist. Apps that use a fixed, hardcoded webPreferences object are not affected.

Workarounds

Do not spread untrusted input into webPreferences. Use an explicit allowlist of permitted preference keys when constructing BrowserWindow or webContents options from external configuration.

Fixed Versions

• 41.0.0-beta.8
• 40.7.0
• 39.8.0
• 38.8.6

For more information

If there are any questions or comments about this advisory, send an email to security@electronjs.org

CVE-2026-34770

Impact

Apps that use the powerMonitor module may be vulnerable to a use-after-free. After the native PowerMonitor object is garbage-collected, the associated OS-level resources (a message window on Windows, a shutdown handler on macOS) retain dangling references. A subsequent session-change event (Windows) or system shutdown (macOS) dereferences freed memory, which may lead to a crash or memory corruption.

All apps that access powerMonitor events (suspend, resume, lock-screen, etc.) are potentially affected. The issue is not directly renderer-controllable.

Workarounds

There are no app side workarounds, you must update to a patched version of Electron.

Fixed Versions

• 41.0.0-beta.8
• 40.8.0
• 39.8.1
• 38.8.6

For more information

If there are any questions or comments about this advisory, please email security@electronjs.org

CVE-2026-34771

Impact

Apps that register an asynchronous session.setPermissionRequestHandler() may be vulnerable to a use-after-free when handling fullscreen, pointer-lock, or keyboard-lock permission requests. If the requesting frame navigates or the window closes while the permission handler is pending, invoking the stored callback dereferences freed memory, which may lead to a crash or memory corruption.

Apps that do not set a permission request handler, or whose handler responds synchronously, are not affected.

Workarounds

Respond to permission requests synchronously, or deny fullscreen, pointer-lock, and keyboard-lock requests if an asynchronous flow is required.

Fixed Versions

• 41.0.0-beta.8
• 40.7.0
• 39.8.0
• 38.8.6

For more information

If there are any questions or comments about this advisory, please email security@electronjs.org

CVE-2026-34772

Impact

Apps that allow downloads and programmatically destroy sessions may be vulnerable to a use-after-free. If a session is torn down while a native save-file dialog is open for a download, dismissing the dialog dereferences freed memory, which may lead to a crash or memory corruption.

Apps that do not destroy sessions at runtime, or that do not permit downloads, are not affected.

Workarounds

Avoid destroying sessions while a download save dialog may be open. Cancel pending downloads before session teardown.

Fixed Versions

• 41.0.0-beta.7
• 40.7.0
• 39.8.0
• 38.8.6

For more information

If there are any questions or comments about this advisory, please email security@electronjs.org

CVE-2026-34773

Impact

On Windows, app.setAsDefaultProtocolClient(protocol) did not validate the protocol name before writing to the registry. Apps that pass untrusted input as the protocol name may allow an attacker to write to arbitrary subkeys under HKCU\Software\Classes\, potentially hijacking existing protocol handlers.

Apps are only affected if they call app.setAsDefaultProtocolClient() with a protocol name derived from external or untrusted input. Apps that use a hardcoded protocol name are not affected.

Workarounds

Validate the protocol name matches /^[a-zA-Z][a-zA-Z0-9+.-]*$/ before passing it to app.setAsDefaultProtocolClient().

Fixed Versions

• 41.0.0
• 40.8.1
• 39.8.1
• 38.8.6

For more information

If there are any questions or comments about this advisory, please email security@electronjs.org

CVE-2026-34775

Impact

The nodeIntegrationInWorker webPreference was not correctly scoped in all configurations. In certain process-sharing scenarios, workers spawned in frames configured with nodeIntegrationInWorker: false could still receive Node.js integration.

Apps are only affected if they enable nodeIntegrationInWorker. Apps that do not use nodeIntegrationInWorker are not affected.

Workarounds

Avoid enabling nodeIntegrationInWorker in apps that also open child windows or embed content with differing webPreferences.

Fixed Versions

• 41.0.0
• 40.8.4
• 39.8.4
• 38.8.6

For more information

If there are any questions or comments about this advisory, please email security@electronjs.org

CVE-2026-34776

Impact

On macOS and Linux, apps that call app.requestSingleInstanceLock() were vulnerable to an out-of-bounds heap read when parsing a crafted second-instance message. Leaked memory could be delivered to the app's second-instance event handler.

This issue is limited to processes running as the same user as the Electron app.

Apps that do not call app.requestSingleInstanceLock() are not affected. Windows is not affected by this issue.

Workarounds

There are no app side workarounds, developers must update to a patched version of Electron.

Fixed Versions

• 41.0.0
• 40.8.1
• 39.8.1
• 38.8.6

For more information

If there are any questions or comments about this advisory, please email security@electronjs.org

CVE-2026-34777

Impact

When an iframe requests fullscreen, pointerLock, keyboardLock, openExternal, or media permissions, the origin passed to session.setPermissionRequestHandler() was the top-level page's origin rather than the requesting iframe's origin. Apps that grant permissions based on the origin parameter or webContents.getURL() may inadvertently grant permissions to embedded third-party content.

The correct requesting URL remains available via details.requestingUrl. Apps that already check details.requestingUrl are not affected.

Workarounds

In your setPermissionRequestHandler, inspect details.requestingUrl rather than the origin parameter or webContents.getURL() when deciding whether to grant fullscreen, pointerLock, keyboardLock, openExternal, or media permissions.

Fixed Versions

• 41.0.0
• 40.8.1
• 39.8.1
• 38.8.6

For more information

If there are any questions or comments about this advisory, please email security@electronjs.org

CVE-2026-34778

Impact

A service worker running in a session could spoof reply messages on the internal IPC channel used by webContents.executeJavaScript() and related methods, causing the main-process promise to resolve with attacker-controlled data.

Apps are only affected if they have service workers registered and use the result of webContents.executeJavaScript() (or webFrameMain.executeJavaScript()) in security-sensitive decisions.

Workarounds

Do not trust the return value of webContents.executeJavaScript() for security decisions. Use dedicated, validated IPC channels for security-relevant communication with renderers.

Fixed Versions

• 41.0.0
• 40.8.1
• 39.8.1
• 38.8.6

For more information

If there are any questions or comments about this advisory, please email security@electronjs.org

CVE-2026-34779

Impact

On macOS, app.moveToApplicationsFolder() used an AppleScript fallback path that did not properly handle certain characters in the application bundle path. Under specific conditions, a crafted launch path could lead to arbitrary AppleScript execution when the user accepted the move-to-Applications prompt.

Apps are only affected if they call app.moveToApplicationsFolder(). Apps that do not use this API are not affected.

Workarounds

There are no app side workarounds, developers must update to a patched version of Electron.

Fixed Versions

• 41.0.0-beta.8
• 40.8.0
• 39.8.1
• 38.8.6

For more information

If there are any questions or comments about this advisory, please email security@electronjs.org

CVE-2026-34780

Impact

Apps that pass VideoFrame objects (from the WebCodecs API) across the contextBridge are vulnerable to a context isolation bypass. An attacker who can execute JavaScript in the main world (for example, via XSS) can use a bridged VideoFrame to gain access to the isolated world, including any Node.js APIs exposed to the preload script.

Apps are only affected if a preload script returns, resolves, or passes a VideoFrame object to the main world via contextBridge.exposeInMainWorld(). Apps that do not bridge VideoFrame objects are not affected.

Workarounds

Do not pass VideoFrame objects across contextBridge. If an app needs to transfer video frame data, serialize it to an ArrayBuffer or ImageBitmap before bridging.

Fixed Versions

• 41.0.0-beta.8
• 40.7.0
• 39.8.0

For more information

If there are any questions or comments about this advisory, please email security@electronjs.org

CVE-2026-34774

Impact

Apps that use offscreen rendering and allow child windows via window.open() may be vulnerable to a use-after-free. If the parent offscreen WebContents is destroyed while a child window remains open, subsequent paint frames on the child dereference freed memory, which may lead to a crash or memory corruption.

Apps are only affected if they use offscreen rendering (webPreferences.offscreen: true) and their setWindowOpenHandler permits child windows. Apps that do not use offscreen rendering, or that deny child windows, are not affected.

Workarounds

Deny child window creation from offscreen renderers in your setWindowOpenHandler, or ensure child windows are closed before the parent is destroyed.

Fixed Versions

• 41.0.0
• 40.7.0
• 39.8.1

For more information

If there are any questions or comments about this advisory, please email security@electronjs.org

CVE-2026-34764

Impact

Apps that use offscreen rendering with GPU shared textures may be vulnerable to a use-after-free. Under certain conditions, the release() callback provided on a paint event texture can outlive its backing native state, and invoking it after that point dereferences freed memory in the main process, which may lead to a crash or memory corruption.

Apps are only affected if they use offscreen rendering with webPreferences.offscreen: { useSharedTexture: true }. Apps that do not enable shared-texture offscreen rendering are not affected.

Workarounds

Ensure texture.release() is called promptly after the texture has been consumed, before the texture object becomes unreachable.

Fixed Versions

• 42.0.0-alpha.5
• 41.1.0
• 40.8.5
• 39.8.5

For more information

If there are any questions or comments about this advisory, send an email to security@electronjs.org

CVE-2026-34781

Impact

Apps that call clipboard.readImage() may be vulnerable to a denial of service. If the system clipboard contains image data that fails to decode, the resulting null bitmap is passed unchecked to image construction, triggering a controlled abort and crashing the process.

Apps are only affected if they call clipboard.readImage(). Apps that do not read images from the clipboard are not affected. This issue does not allow memory corruption or code execution.

Workarounds

Validate that the clipboard contains image data via clipboard.availableFormats() before calling clipboard.readImage(). Note this only narrows the window — upgrading to a fixed version is recommended.

Fixed Versions

• 42.0.0-alpha.5
• 41.1.0
• 40.8.5
• 39.8.5

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

---

Release Notes

electron/electron (electron)

v39.8.5: electron v39.8.5

Compare Source

Release Notes for v39.8.5

Fixes

• Fixed a crash in clipboard.readImage() when the clipboard contains malformed image data. #​50493 ^{(Also in 40, 41, 42)}
• Fixed a crash when calling an offscreen shared texture's release() after the texture object was garbage collected. #​50499 ^{(Also in 40, 41, 42)}

v39.8.4: electron v39.8.4

Compare Source

Release Notes for v39.8.4

Fixes

• Fixed an issue where nodeIntegrationInWorker overrides in setWindowOpenHandler were not honored for child windows sharing a renderer process with their opener. #​50468 ^{(Also in 38, 40, 41)}
• Fixed crash when handling JavaScript dialogs from windows opened with invalid or empty URLs. #​50400 ^{(Also in 40, 41, 42)}
• Fixed improper focus tracking in BaseWindow on MacOS. #​50338 ^{(Also in 40, 41, 42)}
• Fixed window freeze when failing to enter/exit fullscreen on macOS. #​50341 ^{(Also in 40, 41, 42)}

Other Changes

• Added support for using a proxy during yarn install. #​50349 ^{(Also in 40, 41, 42)}
• Backported fix for 4859353. #​50440
• Backported fix for 4893813. #​50443
• Backported fix for chromium:475877320. #​50436
• Backported fixes for 4847510, 4871177. #​50461

v39.8.3: electron v39.8.3

Compare Source

Release Notes for v39.8.3

Fixes

• Added additional ASAR support to additional fs copy methods. #​50284 ^{(Also in 40, 41, 42)}
• Fixed user resizing of transparent windows on win32 platform. #​50300 ^{(Also in 40, 41, 42)}

v39.8.2: electron v39.8.2

Compare Source

Release Notes for v39.8.2

Other Changes

• Backported fix for b/491421267. #​50230

v39.8.1: electron v39.8.1

Compare Source

Release Notes for v39.8.1

Fixes

• Added validation to protocol client methods to reject protocol names that do not conform to the RFC 3986 URI scheme grammar. #​50156 ^{(Also in 38, 40, 41)}
• Fixed an issue on macOS where calling autoUpdater.quitAndInstall() could fail if checkForUpdates() was called again after an update was already downloaded. #​50215 ^{(Also in 40, 41)}
• Fixed an issue where Chrome Devtools menus may not appear in certain embedded windows. #​50136 ^{(Also in 40, 41)}
• Fixed an issue where additionalData passed to app.requestSingleInstanceLock on Windows could be truncated or fail to deserialize in the primary instance's second-instance event. #​50174 ^{(Also in 38, 40, 41)}
• Fixed an issue where screen.getCursorScreenPoint() crashed on Wayland when it was called before a BrowserWindow had been created. #​50106 ^{(Also in 40, 41)}
• Fixed an issue where calling setBounds on a WebContentsView could trigger redundant page-favicon-updated events even when the favicon had not changed. #​50086 ^{(Also in 40, 41)}
• Fixed an issue where invalid characters in custom protocol or webRequest response header values were not rejected. #​50129 ^{(Also in 38, 40, 41)}
• Fixed an issue where permission and device-chooser handlers received the top-level page origin instead of the requesting subframe's origin. #​50147 ^{(Also in 38, 40, 41)}
• Fixed an issue where traffic light buttons would flash at position (0,0) when restoring a window with a custom trafficLightPosition from minimization on macOS. #​50208 ^{(Also in 40, 41)}
• Fixed bug where opening a message box immediately upon closing a child window may cause the parent window to freeze on Windows. #​50190 ^{(Also in 40, 41)}
• Fixed menu bar hiding after a call to win.setFullScreen(false) when not in fullscreen on Linux. #​49995 ^{(Also in 40, 41)}
• Fixed shutdown crash on windows when hidden titlebar is enabled. #​50054 ^{(Also in 40, 41)}
• Reverted AltGr key fix that caused menu bar to no longer show on Windows. #​50109 ^{(Also in 40, 41)}

Other Changes

• Backported fix for b/484983991. #​50167
• Backported fix for chromium:485622239. #​50171
• Updated Node.js to v22.22.1. #​50100

v39.8.0: electron v39.8.0

Compare Source

Release Notes for v39.8.0

Features

• Added support for --experimental-transform-types. #​49881 ^{(Also in 40, 41)}

Fixes

• Fixed an issue on macOS where Universal Links were not delivered to app.on('continue-activity') on cold launch when NSUserActivity.userInfo was nil. #​50004 ^{(Also in 40, 41)}
• Fixed an issue where VideoFrame objects returned through contextBridge had an incorrect prototype. #​50021 ^{(Also in 40, 41)}
• Fixed an issue where setting zoomFactor in setWindowOpenHandler's overrideBrowserWindowOptions had no effect on windows opened via window.open(). #​49910 ^{(Also in 40, 41)}

v39.7.0: electron v39.7.0

Compare Source

Release Notes for v39.7.0

Features

• Added support for long-animation-frame script attribution (via --enable-features=AlwaysLogLOAFURL). #​49771 ^{(Also in 40, 41)}

Fixes

• Fixed an issue where frameless windows had resize issues in Mac App Store builds. #​49861 ^{(Also in 40, 41)}
• Fixed an issue where menu item enabled state wasn't updated during key equivalent dispatch when the menu was closed on macOS. #​49888 ^{(Also in 40, 41)}
• Fixed an issue where pressing AltGr could activate or focus the menu bar. #​49914 ^{(Also in 40, 41)}
• Fixed memory leak when setting icons on Linux/GTK. #​49896 ^{(Also in 38, 40, 41)}

v39.6.1: electron v39.6.1

Compare Source

Release Notes for v39.6.1

Fixes

• Fixed draggable regions not updating position when DevTools is docked to the left or right in a frameless window. #​49846 ^{(Also in 41)}

v39.6.0: electron v39.6.0

Compare Source

Release Notes for v39.6.0

Features

• Added a disclaim option to the UtilityProcess API to allow for TCC disclaiming on macOS. #​49696 ^{(Also in 40, 41)}

Fixes

• Addressed upstream Chromium shift to enable CoreAudio Tap API for audio capture used in electron's desktopCapturer (🍏 macOS). #​49740 ^{(Also in 41)}

Other Changes

• Backported fix for 4835695. #​49791

v39.5.2: electron v39.5.2

Compare Source

Release Notes for v39.5.2

Fixes

• Fixed a crash that could occur when using the File System Access API. #​49634 ^{(Also in 40, 41)}
• Fixed an issue where alt+space triggered th system context menu even if an accelerator was registered for the hotkey combination. #​49641 ^{(Also in 40, 41)}
• Fixed an issue where role-based menu items were incorrectly returning null for their accelerator property. #​49670 ^{(Also in 40, 41)}
• Fixed application input broken on certain wayland compositors when DND action was cancelled. #​49694
• Fixed dock menu items not respecting enabled and checked properties on macOS. #​49626 ^{(Also in 38, 40, 41)}

Other Changes

• Refactored our MSIX updater code to use an upstream Chromium pattern and eliminates the need for special exception handling build flags. #​49688 ^{(Also in 40, 41)}

Unknown

• Fixed squirrel.mac stacked update behavior to old staged updates. #​49637 ^{(Also in 40, 41)}

v39.5.1: electron v39.5.1

Compare Source

Release Notes for v39.5.1

Fixes

• Fixed rendering glitches on macOS. #​49615 ^{(Also in 40, 41)}

v39.5.0: electron v39.5.0

Compare Source

Release Notes for v39.5.0

Features

• Added support for MSIX auto-updating. #​49585 ^{(Also in 40, 41)}

Fixes

• Fixed an issue where menu item accelerators stopped working after the item's enabled property was toggled on macOS. #​49593 ^{(Also in 40, 41)}
• Fixed an issue whereby a duplicate "Toggle Full Screen" menu item appeared in the View menu on macOS. #​49597 ^{(Also in 38, 40, 41)}

v39.4.0: electron v39.4.0

Compare Source

Release Notes for v39.4.0

Fixes

• Fixed an issue in chrome://accessibility. #​49559 ^{(Also in 40, 41)}
• Fixed an issue where shell.writeShortcutLink was throwing TypeError: Insufficient number of arguments when called with just [(path, options)]. #​49502 ^{(Also in 40, 41)}
• Fixed crash in platform_util::Beep() on Linux. #​49484 ^{(Also in 40, 41)}

Other Changes

• Updated Node.js to v22.22.0. #​49389

Unknown

• Fixed an issue where some packages weren't correctly filtered on macOS in dialogs. #​49472 ^{(Also in 38, 40, 41)}

v39.3.0: electron v39.3.0

Compare Source

Release Notes for v39.3.0

Features

• Added support for WebSocket authentication through the login event on webContents. #​49065 ^{(Also in 40)}

Fixes

• Fixed setRepresentedFilename() not setting AXDocument accessibility attribute on macOS. #​49418 ^{(Also in 40)}
• Fixed a potential race condition crash when opening DevTools. #​49423 ^{(Also in 40)}
• Fixed stack overflow when compiling deeply nested JS functions. #​49360
• Made toplevel icon Wayland protocol work. #​49415 ^{(Also in 40)}
• Requests sent via net are now capable of having their headers modified to use reserved headers via webRequest. #​49242 ^{(Also in 40)}

Other Changes

• Backported fix for 4667866. #​49287
• Updated Chromium to 142.0.7444.265. #​49322

v39.2.7: electron v39.2.7

Compare Source

Release Notes for v39.2.7

Other Changes

• Updated Chromium to 142.0.7444.235. #​49190

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 46.74%. Comparing base (3aa627c) to head (cae8155).
⚠️ Report is 90 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #19963   +/-   ##
=======================================
  Coverage   46.74%   46.74%           
=======================================
  Files        3882     3882           
  Lines      116324   116324           
  Branches    17722    17722           
=======================================
  Hits        54373    54373           
  Misses      59478    59478           
  Partials     2473     2473           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Checkmarx One – Scan Summary & Details – 256db0c8-a748-4eda-98c4-11edfc912bb2

---

New Issues (33)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		Absolute_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 360	details Method Lambda at line 360 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows ... Attack Vector
2		Absolute_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 328	details Method Lambda at line 328 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows ... Attack Vector
3		Absolute_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 360	details Method Lambda at line 360 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows ... Attack Vector
4		Absolute_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 328	details Method Lambda at line 328 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows ... Attack Vector
5		CVE-2026-34043	Npm-serialize-javascript-6.0.2	details Description: Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial-of-Service (D... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
6		CVE-2026-34043	Npm-serialize-javascript-7.0.4	details Recommended version: 7.0.5 Description: Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial-of-Service (D... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
7		Client_DOM_XSS	/apps/web/src/connectors/redirect.ts: 6	details The method Lambda embeds untrusted data in generated output with href, at line 16 of /apps/web/src/connectors/redirect.ts. This untrusted data is... Attack Vector
8		Relative_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 397	details Method Lambda at line 397 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows ... Attack Vector
9		Relative_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 397	details Method Lambda at line 397 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows ... Attack Vector
10		SSRF	/libs/common/src/services/api.service.ts: 1325	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1270. How... Attack Vector
11		SSRF	/libs/common/src/services/api.service.ts: 1324	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1241. How... Attack Vector
12		SSRF	/libs/common/src/services/api.service.ts: 1325	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1241. How... Attack Vector
13		SSRF	/libs/common/src/services/api.service.ts: 1327	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1270. How... Attack Vector
14		SSRF	/libs/common/src/services/api.service.ts: 1335	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1270. How... Attack Vector
15		SSRF	/libs/common/src/services/api.service.ts: 1328	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1270. How... Attack Vector
16		SSRF	/libs/common/src/services/api.service.ts: 1327	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1241. How... Attack Vector
17		SSRF	/libs/common/src/services/api.service.ts: 1335	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1241. How... Attack Vector
18		SSRF	/libs/common/src/services/api.service.ts: 1328	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1241. How... Attack Vector
19		Client_DOM_Open_Redirect	/apps/web/src/connectors/redirect.ts: 6	details The potentially tainted value provided by href in /apps/web/src/connectors/redirect.ts at line 6 is used as a destination URL by href in /apps/web... Attack Vector
20		HttpOnly_Cookie_Flag_Not_Set	/apps/desktop/src/platform/services/server-communication-config/default-server-communication-config.service.ts: 71	details The web application's getCookies method creates a cookie cookies, at line 71 of /apps/desktop/src/platform/services/server-communication-config/d... Attack Vector
21		HttpOnly_Cookie_Flag_Not_Set	/apps/web/src/connectors/sso.ts: 37	details The web application's initiateBrowserSso method creates a cookie cookie, at line 37 of /apps/web/src/connectors/sso.ts, and returns it in the resp... Attack Vector
22		Insecure_Storage_of_Sensitive_Data	/apps/cli/src/commands/get.command.ts: 403	details The application takes sensitive, personal data cipher, found at line 403 of /apps/cli/src/commands/get.command.ts, and stores it in an unprotecte... Attack Vector
23		Insecure_Storage_of_Sensitive_Data	/apps/cli/src/commands/get.command.ts: 402	details The application takes sensitive, personal data cipherService, found at line 402 of /apps/cli/src/commands/get.command.ts, and stores it in an unp... Attack Vector
24		Insecure_Storage_of_Sensitive_Data	/apps/cli/src/tools/export.command.ts: 76	details The application takes sensitive, personal data password, found at line 76 of /apps/cli/src/tools/export.command.ts, and stores it in an unprotect... Attack Vector
25		Insecure_Storage_of_Sensitive_Data	/apps/cli/src/commands/get.command.ts: 387	details The application takes sensitive, personal data cipher, found at line 387 of /apps/cli/src/commands/get.command.ts, and stores it in an unprotecte... Attack Vector
26		Insecure_Storage_of_Sensitive_Data	/apps/cli/src/tools/export.command.ts: 81	details The application takes sensitive, personal data password, found at line 81 of /apps/cli/src/tools/export.command.ts, and stores it in an unprotect... Attack Vector
27		Missing_HSTS_Header	/apps/cli/src/auth/commands/login.command.ts: 571	details The web-application does not define an HSTS header, leaving it vulnerable to attack. Attack Vector
28		SSL_Verification_Bypass	/scripts/reverse-proxy-emulator/index.ts: 219	details /scripts/reverse-proxy-emulator/index.ts relies HTTPS requests, in . The rejectUnauthorized parameter, at line 219, effectively disables verifi... Attack Vector
29		SSL_Verification_Bypass	/scripts/reverse-proxy-emulator/index.ts: 301	details /scripts/reverse-proxy-emulator/index.ts relies HTTPS requests, in Lambda. The rejectUnauthorized parameter, at line 301, effectively disables ... Attack Vector
30		Angular_Usage_of_Unsafe_DOM_Sanitizer	/libs/components/src/svg/svg.component.ts: 29	details Usage of an unsafe class bypassSecurityTrustHtml, which overrides output sanitization, was found at /libs/components/src/svg/svg.component.ts in ... Attack Vector
31		Angular_Usage_of_Unsafe_DOM_Sanitizer	/apps/desktop/src/app/components/avatar.component.ts: 96	details Usage of an unsafe class bypassSecurityTrustResourceUrl, which overrides output sanitization, was found at /apps/desktop/src/app/components/avatar... Attack Vector
32		Client_Use_Of_Iframe_Without_Sandbox	/apps/browser/src/autofill/overlay/inline-menu/pages/menu-container/autofill-inline-menu-container.ts: 107	details The application employs an HTML iframe at whose contents are not properly sandboxed Attack Vector
33		Missing_CSP_Header	/apps/cli/src/auth/commands/login.command.ts: 571	details A Content Security Policy is not explicitly defined within the web-application. Attack Vector

---

Fixed Issues (14)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	CVE-2025-13631	Npm-electron-39.2.6
	CVE-2025-13633	Npm-electron-39.2.6
	CVE-2025-13638	Npm-electron-39.2.6
	CVE-2025-13639	Npm-electron-39.2.6
	CVE-2025-13720	Npm-electron-39.2.6
	CVE-2025-13721	Npm-electron-39.2.6
	CVE-2026-0628	Npm-electron-39.2.6
	CVE-2026-1861	Npm-electron-39.2.6
	CVE-2026-2321	Npm-electron-39.2.6
	CVE-2025-13632	Npm-electron-39.2.6
	CVE-2025-13635	Npm-electron-39.2.6
	CVE-2025-13636	Npm-electron-39.2.6
	CVE-2025-13637	Npm-electron-39.2.6
	CVE-2025-13640	Npm-electron-39.2.6

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[dani-garcia]

The upgrade to 39.8.5 seems pretty safe. No breaking changes, and it's possible that several bug fixes directly help us (auto-updater quitAndInstall fix, clipboard crash fix, macOS menu accelerator fix, window freeze fixes on macOS and Windows, single-instance data truncation on Windows).

For the custom scheme migration (PR #19208), the protocol validation hardening in 39.8.1 is actually a mild positive that we already comply with.

Two icon improvements landed: Wayland toplevel icon protocol support (v39.3.0) and a Linux/GTK icon memory leak fix (v39.7.0). Both are good, though the Wayland one won't matter until the X11 fallback is removed.

None of the Electron 39 issues are resolved by this upgrade and all remain open upstream. The X11 fallback in linux-wrapper.sh is still necessary for now.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud