Skip to main content

Electerm EUVDEUVD-2026-32961

| CVE-2026-45058 CRITICAL
Code Injection (CWE-94)
2026-05-14 https://github.com/electerm/electerm GHSA-jgg9-rw32-44pj
9.4
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.4 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

7
Analysis Updated
May 28, 2026 - 18:29 vuln.today
v3 (cvss_changed)
Analysis Updated
May 28, 2026 - 18:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 28, 2026 - 18:22 vuln.today
cvss_changed
CVSS changed
May 28, 2026 - 18:22 NVD
9.4 (CRITICAL)
Source Code Evidence Fetched
May 14, 2026 - 21:16 vuln.today
Analysis Generated
May 14, 2026 - 21:16 vuln.today
CVE Published
May 14, 2026 - 20:15 nvd
CRITICAL

DescriptionGitHub Advisory

Impact

_Persistent local-pty code execution via imported bookmarks or compromised sync targets. Affects users who import bookmark JSON files or who have electerm sync configured (gist/WebDAV). The attacker can inject exec* fields or global config to cause remote code to run when a bookmark is opened or when sync is applied._

Patches

Not yet

Workarounds

  • Do not import unsafe data

References

  • Report / credit: https://github.com/Curly-Haired-Baboon
  • Electerm releases: https://github.com/electerm/electerm/releases

AnalysisAI

Code execution in Electerm (npm package, versions <= 3.8.8) allows attackers to achieve persistent local-pty code execution by tricking users into importing malicious bookmark JSON files or by compromising configured sync targets (Gist/WebDAV). The flaw stems from unsafe handling of bookmark fields (exec*) and global config entries, which are executed when a bookmark is opened or when sync is applied. No public exploit identified at time of analysis, and no vendor-released patch is identified at time of analysis.

Technical ContextAI

Electerm is an open-source Electron-based SSH/terminal/SFTP client distributed via npm. The root cause is CWE-94 (Improper Control of Generation of Code, i.e., code injection): bookmark JSON imports and synced configuration data are deserialized into runtime configuration containing exec* fields that the application later executes via a local pseudo-terminal (pty). Because the application uses Electron and spawns shell processes from user-controlled bookmark metadata without sufficient validation, attacker-supplied JSON effectively becomes shell command input. The CPE pkg:npm/electerm identifies the affected package, and the GitHub Security Advisory GHSA-jgg9-rw32-44pj scopes the impact to all versions through 3.8.8.

RemediationAI

No vendor-released patch identified at time of analysis - the GHSA advisory explicitly states 'Patches: Not yet' and no fixed version is listed in the npm advisory. Until a patched release appears at https://github.com/electerm/electerm/releases, the only vendor-suggested workaround is to avoid importing bookmark JSON from untrusted sources; in addition, security teams should disable or unconfigure third-party bookmark sync (Gist/WebDAV) when the sync endpoint is not fully controlled, since a compromised sync target also triggers this issue, accepting the trade-off of losing cross-device bookmark synchronization. Organizations may also restrict execution of Electerm to managed endpoints, block bookmark imports through endpoint policy or application allow-listing, and audit existing bookmark files for unexpected exec* fields or unusual global config entries before re-importing.

Share

EUVD-2026-32961 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy