Which versions of Electerm are affected by CVE-2026-45058?

Electerm, an npm package used for terminal session management, contains a critical code execution flaw affecting all versions up to 3.8.8.

Electerm CVE-2026-45058

Q: What is the CVSS score of CVE-2026-45058?

CVE-2026-45058 has a CVSS 4.0 base score of 9.4 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

Q: How to fix or mitigate CVE-2026-45058?

24 hours: Inventory all instances of Electerm <= 3.8.8 in use (development, CI/CD, operational systems) and assess criticality. 7 days: Disable cloud sync features (Gist/WebDAV) for all instances; prohibit importing bookmarks from untrusted sources; restrict user permissions on sync storage targets. 30 days: Evaluate vendor advisories for patched releases, migrate to alternative terminal tooling if patch timeline is unclear, or implement sandboxed environments where Electerm must run.

CRITICAL

Code Injection (CWE-94)

2026-05-14 https://github.com/electerm/electerm

GHSA-jgg9-rw32-44pj

RCE Code Injection

9.4

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Analysis Updated

May 28, 2026 - 18:29 vuln.today

v3 (cvss_changed)

Analysis Updated

May 28, 2026 - 18:29 vuln.today

v2 (cvss_changed)

Re-analysis Queued

May 28, 2026 - 18:22 vuln.today

cvss_changed

CVSS changed

May 28, 2026 - 18:22 NVD

9.4 (CRITICAL)

Source Code Evidence Fetched

May 14, 2026 - 21:16 vuln.today

Analysis Generated

May 14, 2026 - 21:16 vuln.today

CVE Published

May 14, 2026 - 20:15 nvd

CRITICAL

DescriptionNVD

Impact

_Persistent local-pty code execution via imported bookmarks or compromised sync targets. Affects users who import bookmark JSON files or who have electerm sync configured (gist/WebDAV). The attacker can inject exec* fields or global config to cause remote code to run when a bookmark is opened or when sync is applied._

Patches

Not yet

Workarounds

Do not import unsafe data

References

Report / credit: https://github.com/Curly-Haired-Baboon
Electerm releases: https://github.com/electerm/electerm/releases

AnalysisAI

Code execution in Electerm (npm package, versions <= 3.8.8) allows attackers to achieve persistent local-pty code execution by tricking users into importing malicious bookmark JSON files or by compromising configured sync targets (Gist/WebDAV). The flaw stems from unsafe handling of bookmark fields (exec*) and global config entries, which are executed when a bookmark is opened or when sync is applied. …

RemediationAI

24 hours: Inventory all instances of Electerm <= 3.8.8 in use (development, CI/CD, operational systems) and assess criticality. 7 days: Disable cloud sync features (Gist/WebDAV) for all instances; prohibit importing bookmarks from untrusted sources; restrict user permissions on sync storage targets. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-45058 vulnerability details – vuln.today

Back

Electerm CVE-2026-45058

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

Impact

Patches

Workarounds

References

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

Electerm CVE-2026-45058

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

Impact

Patches

Workarounds

References

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code