Home

Description

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to 3.9.5, deterministic AES-192-CBC with a fixed zero IV, constant KDF salt, and no MAC leads to confidentiality and integrity failures for synced bookmark/profile data. Attackers can crack common passwords across installs and perform undetected ciphertext bit-flips to alter config/bookmarks. This vulnerability is fixed in 3.9.5.

PUBLISHED Reserved 2026-05-13 | Published 2026-05-28 | Updated 2026-05-29 | Assigner GitHub_M




MEDIUM: 6.0CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-326: Inadequate Encryption Strength

CWE-329: Generation of Predictable IV with CBC Mode

CWE-353: Missing Support for Integrity Check

CWE-759: Use of a One-Way Hash without a Salt

CWE-916: Use of Password Hash With Insufficient Computational Effort

Product status

< 3.9.5
affected

References

github.com/...ecterm/security/advisories/GHSA-g29v-q6h7-76wh

github.com/...ommit/9dd8295e37d53396b980cd45dfc5ed11ad79b937

cve.org (CVE-2026-45787)

nvd.nist.gov (CVE-2026-45787)

Download JSON