Electerm Security Vulnerabilities and Issues — Electerm CVE List

Electerm ProjectElecterm

10 matches found

CVE•added 2023/01/20 12:0 a.m.•44 views

CVE-2020-23256

CVE-2020-23256 affects Electerm 1.3.22. The issue allows an attacker to execute arbitrary code via an unverified request to the Electerm service. The available connected documents confirm the vulnerability description but do not specify affected component details beyond Electerm and version, nor ...

9.8CVSS9.6AI score0.00856EPSS

CVE•added 2026/05/08 2:51 a.m.•19 views

CVE-2026-41501

CVE-2026-41501 affects electerm prior to v3.3.8. The vulnerability resides in npm/install.js:130 where the runLinux() function appends attacker-controlled remote version strings directly into an unvalidated exec("rm -rf ...") command, enabling command injection. Reports across NVD, CVELIST, PT-Se...

9.8CVSS5.8AI score0.01302EPSS

CVE•added 2026/05/08 2:58 a.m.•17 views

CVE-2026-43940

CVE-2026-43940 affects the electerm client. The runWidget function in src/app/widgets/load-widget.js builds a file path by concatenating user‑supplied widget identifiers without sanitisation, and runWidget is exposed to the renderer via an asynchronous IPC handler with no input validation. This e...

8.4CVSS6.3AI score0.00167EPSS

CVE•added 2026/05/08 2:53 a.m.•16 views

CVE-2026-41500

The CVE concerns electerm prior to version 3.3.8, where the runMac() function appends attacker-controlled releaseInfo.name into an exec("open ...") command without validation, enabling command injection. Affected component: npm install script in electerm. Impact stated: remote code execution with...

9.8CVSS5.8AI score0.01572EPSS

CVE•added 2026/05/08 2:55 a.m.•13 views

CVE-2026-43943

The CVE applies to electerm prior to version 3.7.9, where the SFTP open with system editor or Edit with custom editor feature passes the filename directly into a shell command without sanitization. A malicious SSH server or compromised OS can craft a filename containing shell metacharacters; when...

7.8CVSS6.3AI score0.00167EPSS

CVE•added 2026/05/08 3:3 a.m.•12 views

CVE-2026-43942

electerm versions 3.8.15 and prior are affected by an IPC vulnerability: the getConstants() handler serialises the entire process.env and exposes it to the renderer as window.pre.env. Any attacker able to execute JavaScript in the renderer could exfiltrate these secrets to a remote server, enabli...

5.5CVSS6AI score0.00103EPSS

CVE•added 2026/05/08 3:1 a.m.•11 views

CVE-2026-43941

Electerm CVE-2026-43941 affects version 3.8.15 and earlier. The terminal hyperlink handler forwards any URL clicked in the terminal directly to shell.openExternal without protocol validation. An attacker controlling terminal output (e.g., via a malicious SSH server, compromised remote host, or ma...

9.6CVSS6.4AI score0.00394EPSS

CVE•added 2026/05/28 5:17 p.m.•10 views

CVE-2026-45787

The CVE-2026-45787 entry concerns electerm, an open-source terminal/SSH/etc. client. Technical details in connected sources show that versions prior to 3.9.5 use deterministic AES-192-CBC with a fixed zero IV, a constant KDF salt, and no MAC, causing confidentiality and integrity failures for syn...

9.1CVSS5.8AI score0.00105EPSS

CVE•added 2026/05/08 3:8 a.m.•9 views

CVE-2026-43944

The CVE-2026-43944 entry affects the open-source terminal/SSH client electerm, with vulnerable versions 3.0.6 through before 3.8.15. The root cause is arbitrary local code execution triggered by attacker-controlled options when electerm is launched via a crafted electerm:// deep link, a crafted s...

9.6CVSS6.3AI score0.00363EPSS

CVE•added 2026/05/28 5:19 p.m.•7 views

CVE-2026-45353

CVE-2026-45353 affects electerm (3.0.6–3.8.8); the vulnerability arises from the single-instance socket allowing local code execution via a crafted JSON payload, enabling a same-user process to spawn attacker-controlled local processes. The issue is resolved in 3.9.0 (official fix); some sources ...

9.3CVSS5.8AI score0.00114EPSS