Microsoft
CVE-2026-49255
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
Impact
A command injection vulnerability exists in electerm's file system operations (rmrf, mv, cp) in src/app/lib/fs.js. These functions construct shell commands by interpolating file paths directly into command strings without escaping shell metacharacters.
Vulnerable functions:
rmrf()- Usesrm -rf "${path}"(double quotes, vulnerable to"injection)mv()- Usesmv '${from}' '${to}'(single quotes, vulnerable to'injection)cp()- Usescp -r "${from}" "${to}"(double quotes, vulnerable to"injection)
Attack scenario:
- Attacker controls a malicious SSH/SFTP server
- Server lists files with shell metacharacters in names (e.g.,
file"$(touch /tmp/pwned)") - Victim connects to the server and performs file operations (remote-to-local transfer, rename on conflict, etc.)
- The malicious filename is passed to
rmrf(),mv(), orcp()without sanitization - Shell metacharacters break out of the quoted argument and execute arbitrary commands
Impact includes:
- Arbitrary command execution as the electerm desktop user
- Data exfiltration, malware installation, or system compromise
- Both POSIX (bash) and Windows (PowerShell) platforms are affected
Patches
- https://github.com/electerm/electerm/commit/aa778818843b9c083bd711cd04644d102fcb5a42
Workarounds
If upgrading is not immediately possible, users can mitigate this vulnerability by:
- Only connecting to trusted SSH/SFTP servers
- Avoiding remote-to-local file transfers from untrusted sources
- Not using the "rename on conflict" option when downloading folders from untrusted servers
- Manually verifying filenames before performing file operations
AnalysisAI
Arbitrary command execution in electerm (the open-source cross-platform SSH/SFTP/terminal client) allows a malicious remote server to run OS commands on the connecting user's desktop. The flaw lives in the rmrf(), mv() and cp() helpers in src/app/lib/fs.js, which build shell command strings by interpolating attacker-influenced file paths without escaping shell metacharacters; a hostile SSH/SFTP server that serves files with crafted names can break out of the quoted argument when the victim performs a file operation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Recommended ActionAI
Within 24 hours: Inventory all electerm installations and notify staff to defer SSH/SFTP file operations until patched. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-v5ff-xmfp-p245