Home

Description

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. From versions 3.0.6 to before 3.8.15, electerm is vulnerable to arbitrary local code execution via deep links, CLI --opts, or crafted shortcuts. Exploit requires clicking a crafted electerm://... link or opening a crafted shortcut/command that launches electerm with attacker-controlled opts. This issue has been patched in version 3.8.15.

PUBLISHED Reserved 2026-05-04 | Published 2026-05-08 | Updated 2026-05-08 | Assigner GitHub_M




CRITICAL: 9.4CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Problem types

CWE-20: Improper Input Validation

CWE-94: Improper Control of Generation of Code ('Code Injection')

CWE-829: Inclusion of Functionality from Untrusted Control Sphere

Product status

>= 3.0.6, < 3.8.15
affected

References

github.com/...ecterm/security/advisories/GHSA-mpm8-cx2p-626q

github.com/...ommit/8a6a17951e96d715f5a231532bbd8303fe208700

github.com/...ommit/a79e06f4a1f0ac6376c3d2411ef4690fa0377742

github.com/electerm/electerm/releases/tag/v3.8.15

cve.org (CVE-2026-43944)

nvd.nist.gov (CVE-2026-43944)

Download JSON