Skip to main content

electerm CVE-2026-43944

| EUVDEUVD-2026-28516 CRITICAL
Improper Input Validation (CWE-20)
2026-05-08 GitHub_M GHSA-mpm8-cx2p-626q
9.4
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.4 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

5
Patch available
May 08, 2026 - 05:31 EUVD
Source Code Evidence Fetched
May 08, 2026 - 04:32 vuln.today
Analysis Generated
May 08, 2026 - 04:32 vuln.today
CVSS changed
May 08, 2026 - 04:22 NVD
9.4 (CRITICAL)
CVE Published
May 08, 2026 - 03:08 nvd
CRITICAL 9.4

DescriptionGitHub Advisory

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. From versions 3.0.6 to before 3.8.15, electerm is vulnerable to arbitrary local code execution via deep links, CLI --opts, or crafted shortcuts. Exploit requires clicking a crafted electerm://... link or opening a crafted shortcut/command that launches electerm with attacker-controlled opts. This issue has been patched in version 3.8.15.

AnalysisAI

Arbitrary local code execution in electerm (versions 3.0.6-3.8.14) allows remote attackers to execute malicious code on victim systems by tricking users into clicking crafted electerm:// deep links, opening malicious shortcuts, or running CLI commands with attacker-controlled --opts parameters. The vulnerability stems from insufficient input validation (CWE-20) on deep link and CLI arguments, enabling adversaries to inject arbitrary options that execute code with the privileges of the electerm process. Exploitation requires user interaction (clicking link or opening file) but no authentication, making it suitable for phishing or watering-hole attacks. Patch available in version 3.8.15 with deny-list controls blocking critical parameter override.

Technical ContextAI

electerm is an Electron-based terminal emulator and SSH/SFTP/RDP/VNC client for Windows, macOS, and Linux (cpe:2.3:a:electerm:electerm:*:*:*:*:*:*:*:*). The vulnerability arises from CWE-20 (Improper Input Validation) in the parseQuickConnect function, which processes electerm:// URL schemes and command-line --opts arguments. Prior to 3.8.15, the parser accepted user-supplied JSON opts parameters without sanitization, allowing attackers to override critical connection parameters like 'type' and 'host'. By injecting malicious opts via deep links (electerm://...?opts={...}) or CLI shortcuts, attackers could manipulate Electron's process spawning mechanisms to execute arbitrary binaries. The fix introduces OPTS_DENY_LIST array filtering to prevent override of 'type' and 'host' keys, enforcing separation between URL-derived and user-supplied configuration.

RemediationAI

Upgrade to electerm version 3.8.15 or later immediately. Fixed release available at https://github.com/electerm/electerm/releases/tag/v3.8.15. Upstream fix commits: 8a6a179 (OPTS_DENY_LIST implementation) and a79e06f (additional hardening). For organizations unable to patch immediately: (1) Block electerm:// protocol handler registration in browser/OS settings to prevent deep link exploitation - side effect: legitimate electerm:// connection shortcuts will not function; (2) Implement application whitelisting to block electerm.exe execution from untrusted paths (temp directories, downloads) - reduces risk from malicious shortcuts but does not prevent CLI exploitation if users run commands manually; (3) User education to never click electerm:// links from untrusted sources or open .lnk/.desktop files from email/web downloads - relies on user compliance and does not scale. All workarounds are partial mitigations; upgrade is the only complete remediation.

Share

CVE-2026-43944 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy