Which versions of electerm are affected by CVE-2026-45353?

Electerm versions 3.0.6 through 3.8.8 contain a critical local code execution vulnerability allowing arbitrary command execution from same-system processes.. A patch is available.

electerm CVE-2026-45353

Q: What is the CVSS score of CVE-2026-45353?

CVE-2026-45353 has a CVSS 4.0 base score of 9.3 (Critical). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

CRITICAL

Code Injection (CWE-94)

2026-05-14 https://github.com/electerm/electerm

GHSA-7p5m-v798-f8vv

RCE Code Injection

9.3

CVSS 4.0

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Updated

May 28, 2026 - 18:28 vuln.today

v3 (cvss_changed)

Analysis Updated

May 28, 2026 - 18:28 vuln.today

v2 (cvss_changed)

Re-analysis Queued

May 28, 2026 - 18:22 vuln.today

cvss_changed

CVSS changed

May 28, 2026 - 18:22 NVD

9.3 (CRITICAL)

Source Code Evidence Fetched

May 14, 2026 - 22:00 vuln.today

Analysis Generated

May 14, 2026 - 22:00 vuln.today

CVE Published

May 14, 2026 - 20:29 nvd

CRITICAL

DescriptionNVD

Impact

_Local code execution without UI interaction: any same-user process can send a JSON payload to electerm's single-instance socket/pipe, causing the app to create tabs and potentially spawn attacker-controlled local processes. Affects electerm single-instance installs on the machine._

Patches

https://github.com/electerm/electerm/commit/0599e67069b00e376a2e962649aaad6096e63507

Workarounds

Do not run unsafe command

References

Report / credit: https://github.com/Curly-Haired-Baboon
Electerm releases: https://github.com/electerm/electerm/releases

AnalysisAI

Local code execution in electerm 3.0.6 through 3.8.8 allows any same-user process to send a crafted JSON payload to electerm's single-instance IPC socket/pipe, causing the application to open tabs with attacker-controlled exec paths, arguments, environment variables, and post-connect scripts that spawn arbitrary local processes. No public exploit identified at time of analysis, but the GHSA advisory and patch commit confirm the vulnerability is real, scored CVSS 4.0 9.3 (Critical), and fixed in version 3.9.0 by filtering dangerous tab properties on the IPC boundary.

RemediationAI

Within 24 hours: inventory all systems running electerm and identify installations of versions 3.0.6 through 3.8.8. Within 7 days: deploy electerm version 3.9.0 on all affected systems. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-45353 vulnerability details – vuln.today

Back

electerm CVE-2026-45353

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

Impact

Patches

Workarounds

References

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

electerm CVE-2026-45353

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

Impact

Patches

Workarounds

References

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code