Skip to main content

Microsoft CVE-2026-49255

HIGH
OS Command Injection (CWE-78)
2026-07-02 https://github.com/electerm/electerm GHSA-v5ff-xmfp-p245
8.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 02, 2026 - 19:52 vuln.today
CVE Published
Jul 02, 2026 - 19:22 github-advisory
HIGH 8.8

DescriptionGitHub Advisory

Impact

A command injection vulnerability exists in electerm's file system operations (rmrf, mv, cp) in src/app/lib/fs.js. These functions construct shell commands by interpolating file paths directly into command strings without escaping shell metacharacters.

Vulnerable functions:

  • rmrf() - Uses rm -rf "${path}" (double quotes, vulnerable to " injection)
  • mv() - Uses mv '${from}' '${to}' (single quotes, vulnerable to ' injection)
  • cp() - Uses cp -r "${from}" "${to}" (double quotes, vulnerable to " injection)

Attack scenario:

  1. Attacker controls a malicious SSH/SFTP server
  2. Server lists files with shell metacharacters in names (e.g., file"$(touch /tmp/pwned)")
  3. Victim connects to the server and performs file operations (remote-to-local transfer, rename on conflict, etc.)
  4. The malicious filename is passed to rmrf(), mv(), or cp() without sanitization
  5. Shell metacharacters break out of the quoted argument and execute arbitrary commands

Impact includes:

  • Arbitrary command execution as the electerm desktop user
  • Data exfiltration, malware installation, or system compromise
  • Both POSIX (bash) and Windows (PowerShell) platforms are affected

Patches

  • https://github.com/electerm/electerm/commit/aa778818843b9c083bd711cd04644d102fcb5a42

Workarounds

If upgrading is not immediately possible, users can mitigate this vulnerability by:

  1. Only connecting to trusted SSH/SFTP servers
  2. Avoiding remote-to-local file transfers from untrusted sources
  3. Not using the "rename on conflict" option when downloading folders from untrusted servers
  4. Manually verifying filenames before performing file operations

AnalysisAI

Arbitrary command execution in electerm (the open-source cross-platform SSH/SFTP/terminal client) allows a malicious remote server to run OS commands on the connecting user's desktop. The flaw lives in the rmrf(), mv() and cp() helpers in src/app/lib/fs.js, which build shell command strings by interpolating attacker-influenced file paths without escaping shell metacharacters; a hostile SSH/SFTP server that serves files with crafted names can break out of the quoted argument when the victim performs a file operation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Recommended ActionAI

Within 24 hours: Inventory all electerm installations and notify staff to defer SSH/SFTP file operations until patched. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-49255 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy