Skip to main content

Electerm CVE-2026-43941

| EUVDEUVD-2026-28513 CRITICAL
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (CWE-88)
2026-05-08 GitHub_M GHSA-fwf6-j56g-m97c
9.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 08, 2026 - 04:31 vuln.today
CVE Published
May 08, 2026 - 03:01 nvd
CRITICAL 9.6

DescriptionGitHub Advisory

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In versions 3.8.15 and prior, Electerm's terminal hyperlink handler passes any URL clicked in the terminal directly to shell.openExternal without any protocol validation. An attacker who controls terminal output (e.g., via a malicious SSH server, compromised remote host, or malicious plugin rendering terminal content) can thus achieve arbitrary code execution or local file access on the victim's machine, requiring only that the victim clicks a displayed link. At time of publication, there are no publicly available patches.

AnalysisAI

Arbitrary code execution in Electerm terminal client (≤3.8.15) allows attackers who control terminal output to execute commands or access local files when victims click hyperlinks. The unvalidated shell.openExternal call accepts any protocol scheme, enabling 'file://' URIs for local file access or platform-specific handlers for code execution. No vendor-released patch identified at time of analysis. GitHub Security Advisory GHSA-fwf6-j56g-m97c confirms the vulnerability. CVSS 9.6 reflects high impact across confidentiality, integrity, and availability with scope change, though exploitation requires user interaction (clicking a malicious link).

Technical ContextAI

Electerm is an Electron-based terminal emulator supporting SSH, SFTP, Telnet, RDP, VNC, and serial connections. The vulnerability stems from CWE-88 (Improper Neutralization of Argument Delimiters) in the hyperlink handling code. When terminal escape sequences render clickable URLs, Electerm invokes Electron's shell.openExternal API without protocol whitelisting. This API delegates to the operating system's default handler for any URI scheme - 'http:', 'file:', custom protocol handlers, or executable wrappers. An attacker controlling terminal output (through compromised SSH servers, malicious remote hosts, or plugins) can inject ANSI escape sequences with crafted URLs. The CVSS vector AV:N indicates network attack vector because remote servers generate terminal content; S:C (scope change) reflects breaking out of the application context into OS-level execution.

RemediationAI

No vendor-released patch identified at time of analysis per the description stating 'no publicly available patches.' Monitor GitHub Security Advisory GHSA-fwf6-j56g-m97c for updates. Immediate compensating controls: (1) Disable hyperlink rendering in Electerm terminal settings if available - prevents clickable links entirely, eliminating attack surface at cost of usability. (2) Train users not to click terminal-rendered URLs; manually copy/paste into browser address bar after inspecting protocol scheme. This introduces friction in legitimate workflows where terminal links provide operational value. (3) Restrict Electerm usage to trusted remote hosts only; treat any SSH server, RDP gateway, or VNC host as potential attack vector. Side effect: limits Electerm's utility for ad-hoc remote access. (4) Run Electerm in sandboxed environment (containerized, VM, or restricted user account) to contain shell.openExternal execution scope; does not prevent exploitation but limits lateral movement. (5) Network-level controls: monitor outbound connections from Electerm process for unexpected protocols or destinations. Consult the GitHub advisory for potential upstream fixes or recommended settings changes as vendor response evolves.

Share

CVE-2026-43941 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy