What is the CVSS score of CVE-2026-43940?

CVE-2026-43940 has a CVSS 3.1 base score of 8.4 (High). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of electerm are affected by CVE-2026-43940?

CVE-2026-43940 is a high-severity path traversal vulnerability in electerm versions prior to 3.7.16 that allows local attackers with renderer process access to execute arbitrary JavaScript with full…. A patch is available.

How to fix or mitigate CVE-2026-43940?

Within 24 hours: Inventory all systems running electerm and identify the current installed versions. Within 7 days: Upgrade all electerm installations to version 3.7.16 or later; verify upgrade completion across all endpoints. Within 30 days: Conduct post-patch validation testing and review application logs for any suspicious JavaScript execution patterns or unauthorized file access attempts during the window of vulnerability.

electerm CVE-2026-43940

EUVD-2026-28512 HIGH

Path Traversal (CWE-22)

2026-05-08 GitHub_M

GHSA-f77v-9vpc-6pjm

RCE Path Traversal

8.4

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch available

May 08, 2026 - 05:01 EUVD

Analysis Generated

May 08, 2026 - 04:31 vuln.today

CVE Published

May 08, 2026 - 02:58 nvd

HIGH 8.4

DescriptionNVD

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.7.16, the runWidget function in src/app/widgets/load-widget.js constructs a file path by directly concatenating user‑supplied widget identifiers without any sanitisation. Because runWidget is exposed to the renderer process via an asynchronous IPC handler with no input validation, an attacker who achieves JavaScript execution inside the renderer (for example, through a malicious plugin or a cross‑site scripting flaw in the built‑in webview) can abuse a path traversal (../) to load and execute an arbitrary JavaScript file anywhere on the victim’s filesystem. This gives the attacker local code execution with the full privileges of the electerm process, leading to complete system compromise. This issue has been patched in version 3.7.16.

AnalysisAI

Path traversal in electerm's IPC widget loader allows local code execution with full process privileges when an attacker achieves JavaScript execution in the renderer process. Affects all versions prior to 3.7.16. …

RemediationAI

Within 24 hours: Inventory all systems running electerm and identify the current installed versions. Within 7 days: Upgrade all electerm installations to version 3.7.16 or later; verify upgrade completion across all endpoints. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-43940 vulnerability details – vuln.today

Back

electerm CVE-2026-43940

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code