Skip to main content

electerm EUVDEUVD-2026-28515

| CVE-2026-43943 HIGH
OS Command Injection (CWE-78)
2026-05-08 GitHub_M GHSA-q4p8-8j9m-8hxj
7.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch available
May 08, 2026 - 05:31 EUVD
Source Code Evidence Fetched
May 08, 2026 - 04:31 vuln.today
Analysis Generated
May 08, 2026 - 04:31 vuln.today
CVE Published
May 08, 2026 - 02:55 nvd
HIGH 7.8

DescriptionGitHub Advisory

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.7.9, a code execution (RCE) vulnerability exists in electerm's SFTP open with system editor or "Edit with custom editor" feature. When a user opts to edit a file using open with system editor or open with a custom editor, the filename is passed directly into a command line without sanitization. A malicious actor controlling the SSH server or user OS can exploit this by crafting a filename containing shell metacharacters. If a victim subsequently attempts to edit this file, the injected commands are executed on their machine with the user's privileges. This could allow the attacker to run arbitrary code, install malware, or move laterally within the network. This issue has been patched in version 3.7.9.

AnalysisAI

Command injection in electerm's SFTP file editor feature allows arbitrary code execution when users edit files with maliciously crafted filenames. The vulnerability affects versions prior to 3.7.9 and can be exploited by attackers controlling SSH servers or the victim's operating system to inject shell metacharacters into filenames. When victims attempt to edit these files using 'open with system editor' or custom editor features, unsanitized filenames are passed directly to command execution functions, triggering injected commands with user privileges. GitHub security advisory GHSA-q4p8-8j9m-8hxj confirms the vulnerability, with exploit code demonstrable through the proof-of-concept filename in unit tests. EPSS data not available, not listed in CISA KEV. Vendor-released patch available in version 3.7.9.

Technical ContextAI

This is a classic OS command injection vulnerability (CWE-78) in electerm, a cross-platform terminal emulator and SSH/SFTP client built on Electron. The flaw exists in src/app/lib/fs.js where the openFile function constructs shell commands by directly concatenating user-controlled filenames without sanitization. On Windows, filenames were embedded in PowerShell Invoke-Item commands via string interpolation. On macOS/Linux, filenames were passed to 'open' or 'xdg-open' commands through shell execution. The commit diff shows the fix replaces child_process.exec (which spawns a shell) with child_process.spawn using array-based argument passing, and on Windows adds -LiteralPath with $args[0] to treat filenames as literal data rather than executable code. The CPE cpe:2.3:a:electerm:electerm identifies this as affecting the core electerm application across all platforms.

RemediationAI

Upgrade to electerm version 3.7.9 or later, released at https://github.com/electerm/electerm/releases/tag/v3.7.9. The fix (commit 24ce7103e264cffe6eb5476c0506a2379e6f8333) replaces shell-based command execution with spawn() using argument arrays and adds -LiteralPath on Windows to prevent filename interpretation as code. If immediate upgrade is not feasible, implement compensating controls: disable the 'open with system editor' and custom editor features in electerm settings, restrict SFTP connections to only trusted servers with verified file integrity controls, and enable application whitelisting/execution policies to prevent unauthorized command execution from user directories. Note that disabling editor integration eliminates core workflow functionality, making upgrade the only viable long-term solution. Organizations should audit SFTP server access logs for anomalous filename patterns containing shell metacharacters (semicolons, backticks, pipes, dollar signs) as potential exploitation indicators.

Share

EUVD-2026-28515 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy