Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionGitHub Advisory
electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. From versions 3.0.6 to before 3.8.15, electerm is vulnerable to arbitrary local code execution via deep links, CLI --opts, or crafted shortcuts. Exploit requires clicking a crafted electerm://... link or opening a crafted shortcut/command that launches electerm with attacker-controlled opts. This issue has been patched in version 3.8.15.
AnalysisAI
Arbitrary local code execution in electerm (versions 3.0.6-3.8.14) allows remote attackers to execute malicious code on victim systems by tricking users into clicking crafted electerm:// deep links, opening malicious shortcuts, or running CLI commands with attacker-controlled --opts parameters. The vulnerability stems from insufficient input validation (CWE-20) on deep link and CLI arguments, enabling adversaries to inject arbitrary options that execute code with the privileges of the electerm process. Exploitation requires user interaction (clicking link or opening file) but no authentication, making it suitable for phishing or watering-hole attacks. Patch available in version 3.8.15 with deny-list controls blocking critical parameter override.
Technical ContextAI
electerm is an Electron-based terminal emulator and SSH/SFTP/RDP/VNC client for Windows, macOS, and Linux (cpe:2.3:a:electerm:electerm:*:*:*:*:*:*:*:*). The vulnerability arises from CWE-20 (Improper Input Validation) in the parseQuickConnect function, which processes electerm:// URL schemes and command-line --opts arguments. Prior to 3.8.15, the parser accepted user-supplied JSON opts parameters without sanitization, allowing attackers to override critical connection parameters like 'type' and 'host'. By injecting malicious opts via deep links (electerm://...?opts={...}) or CLI shortcuts, attackers could manipulate Electron's process spawning mechanisms to execute arbitrary binaries. The fix introduces OPTS_DENY_LIST array filtering to prevent override of 'type' and 'host' keys, enforcing separation between URL-derived and user-supplied configuration.
RemediationAI
Upgrade to electerm version 3.8.15 or later immediately. Fixed release available at https://github.com/electerm/electerm/releases/tag/v3.8.15. Upstream fix commits: 8a6a179 (OPTS_DENY_LIST implementation) and a79e06f (additional hardening). For organizations unable to patch immediately: (1) Block electerm:// protocol handler registration in browser/OS settings to prevent deep link exploitation - side effect: legitimate electerm:// connection shortcuts will not function; (2) Implement application whitelisting to block electerm.exe execution from untrusted paths (temp directories, downloads) - reduces risk from malicious shortcuts but does not prevent CLI exploitation if users run commands manually; (3) User education to never click electerm:// links from untrusted sources or open .lnk/.desktop files from email/web downloads - relies on user compliance and does not scale. All workarounds are partial mitigations; upgrade is the only complete remediation.
Arbitrary code execution in Electerm terminal client (≤3.8.15) allows attackers who control terminal output to execute c
Path traversal in electerm's IPC widget loader allows local code execution with full process privileges when an attacker
Command injection in electerm's SFTP file editor feature allows arbitrary code execution when users edit files with mali
electerm 3.8.15 and prior exposes environment variables containing secrets through the getConstants() IPC handler, which
Same weakness CWE-20 – Improper Input Validation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28516
GHSA-mpm8-cx2p-626q