Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.7.9, a code execution (RCE) vulnerability exists in electerm's SFTP open with system editor or "Edit with custom editor" feature. When a user opts to edit a file using open with system editor or open with a custom editor, the filename is passed directly into a command line without sanitization. A malicious actor controlling the SSH server or user OS can exploit this by crafting a filename containing shell metacharacters. If a victim subsequently attempts to edit this file, the injected commands are executed on their machine with the user's privileges. This could allow the attacker to run arbitrary code, install malware, or move laterally within the network. This issue has been patched in version 3.7.9.
AnalysisAI
Command injection in electerm's SFTP file editor feature allows arbitrary code execution when users edit files with maliciously crafted filenames. The vulnerability affects versions prior to 3.7.9 and can be exploited by attackers controlling SSH servers or the victim's operating system to inject shell metacharacters into filenames. When victims attempt to edit these files using 'open with system editor' or custom editor features, unsanitized filenames are passed directly to command execution functions, triggering injected commands with user privileges. GitHub security advisory GHSA-q4p8-8j9m-8hxj confirms the vulnerability, with exploit code demonstrable through the proof-of-concept filename in unit tests. EPSS data not available, not listed in CISA KEV. Vendor-released patch available in version 3.7.9.
Technical ContextAI
This is a classic OS command injection vulnerability (CWE-78) in electerm, a cross-platform terminal emulator and SSH/SFTP client built on Electron. The flaw exists in src/app/lib/fs.js where the openFile function constructs shell commands by directly concatenating user-controlled filenames without sanitization. On Windows, filenames were embedded in PowerShell Invoke-Item commands via string interpolation. On macOS/Linux, filenames were passed to 'open' or 'xdg-open' commands through shell execution. The commit diff shows the fix replaces child_process.exec (which spawns a shell) with child_process.spawn using array-based argument passing, and on Windows adds -LiteralPath with $args[0] to treat filenames as literal data rather than executable code. The CPE cpe:2.3:a:electerm:electerm identifies this as affecting the core electerm application across all platforms.
RemediationAI
Upgrade to electerm version 3.7.9 or later, released at https://github.com/electerm/electerm/releases/tag/v3.7.9. The fix (commit 24ce7103e264cffe6eb5476c0506a2379e6f8333) replaces shell-based command execution with spawn() using argument arrays and adds -LiteralPath on Windows to prevent filename interpretation as code. If immediate upgrade is not feasible, implement compensating controls: disable the 'open with system editor' and custom editor features in electerm settings, restrict SFTP connections to only trusted servers with verified file integrity controls, and enable application whitelisting/execution policies to prevent unauthorized command execution from user directories. Note that disabling editor integration eliminates core workflow functionality, making upgrade the only viable long-term solution. Organizations should audit SFTP server access logs for anomalous filename patterns containing shell metacharacters (semicolons, backticks, pipes, dollar signs) as potential exploitation indicators.
Arbitrary local code execution in electerm (versions 3.0.6-3.8.14) allows remote attackers to execute malicious code on
Arbitrary code execution in Electerm terminal client (≤3.8.15) allows attackers who control terminal output to execute c
Path traversal in electerm's IPC widget loader allows local code execution with full process privileges when an attacker
electerm 3.8.15 and prior exposes environment variables containing secrets through the getConstants() IPC handler, which
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28515
GHSA-q4p8-8j9m-8hxj