Skip to main content

electerm CVE-2026-43940

| EUVDEUVD-2026-28512 HIGH
Path Traversal (CWE-22)
2026-05-08 GitHub_M GHSA-f77v-9vpc-6pjm
8.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.4 HIGH
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
May 08, 2026 - 05:01 EUVD
Analysis Generated
May 08, 2026 - 04:31 vuln.today
CVE Published
May 08, 2026 - 02:58 nvd
HIGH 8.4

DescriptionGitHub Advisory

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.7.16, the runWidget function in src/app/widgets/load-widget.js constructs a file path by directly concatenating user‑supplied widget identifiers without any sanitisation. Because runWidget is exposed to the renderer process via an asynchronous IPC handler with no input validation, an attacker who achieves JavaScript execution inside the renderer (for example, through a malicious plugin or a cross‑site scripting flaw in the built‑in webview) can abuse a path traversal (../) to load and execute an arbitrary JavaScript file anywhere on the victim’s filesystem. This gives the attacker local code execution with the full privileges of the electerm process, leading to complete system compromise. This issue has been patched in version 3.7.16.

AnalysisAI

Path traversal in electerm's IPC widget loader allows local code execution with full process privileges when an attacker achieves JavaScript execution in the renderer process. Affects all versions prior to 3.7.16. The vulnerability enables filesystem-wide arbitrary JavaScript file loading and execution through unsanitized path concatenation in runWidget function, bypassing Electron's process isolation. Vendor-released patch available in version 3.7.16. EPSS data not available; no confirmed active exploitation (not in CISA KEV).

Technical ContextAI

electerm is an Electron-based terminal emulator supporting multiple protocols (SSH, SFTP, Telnet, RDP, VNC, Spice). The vulnerability exists in the main-to-renderer IPC (Inter-Process Communication) bridge architecture inherent to Electron applications. The runWidget function in src/app/widgets/load-widget.js accepts widget identifiers from the renderer process via an async IPC handler and directly concatenates them into filesystem paths without validation. This is a classic CWE-22 path traversal vulnerability where directory traversal sequences (../) can escape the intended widget directory. Because Electron's main process runs with full Node.js privileges while the renderer is sandboxed, exposing filesystem operations to renderer-controlled input creates a privilege escalation vector. The flaw breaks the security boundary between sandboxed renderer code and privileged main process operations.

RemediationAI

Upgrade to electerm version 3.7.16 immediately, available at https://github.com/electerm/electerm/releases/tag/v3.7.16. The patch implements input validation and sanitization in the runWidget IPC handler to prevent directory traversal sequences. If immediate upgrade is not feasible, implement strict compensating controls: disable all third-party widget and plugin loading functionality if the application exposes such features; restrict electerm to processing only trusted terminal sessions without embedded webviews or user-supplied content; run electerm under a restricted user account with minimal filesystem permissions to limit post-exploitation impact (note: this reduces but does not eliminate risk as the attacker still inherits the restricted user's privileges). Review application logs for suspicious widget loading attempts (look for paths containing ../ sequences). These mitigations carry operational trade-offs - disabling plugins may break legitimate workflows, and restricted accounts may limit integration with system tools.

Share

CVE-2026-43940 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy