Lucene search
K

5 matches found

CVE
CVE
added 2026/05/08 2:51 a.m.29 views

CVE-2026-41501

CVE-2026-41501 affects electerm prior to v3.3.8. The vulnerability resides in npm/install.js:130 where the runLinux() function appends attacker-controlled remote version strings directly into an unvalidated exec("rm -rf ...") command, enabling command injection. Reports across NVD, CVELIST, PT-Se...

9.8CVSS5.8AI score0.01302EPSS
CVE
CVE
added 2026/05/28 5:17 p.m.21 views

CVE-2026-45787

The CVE-2026-45787 entry concerns electerm, an open-source terminal/SSH/etc. client. Technical details in connected sources show that versions prior to 3.9.5 use deterministic AES-192-CBC with a fixed zero IV, a constant KDF salt, and no MAC, causing confidentiality and integrity failures for syn...

9.1CVSS5.8AI score0.00105EPSS
CVE
CVE
added 2026/05/08 2:53 a.m.20 views

CVE-2026-41500

The CVE concerns electerm prior to version 3.3.8, where the runMac() function appends attacker-controlled releaseInfo.name into an exec("open ...") command without validation, enabling command injection. Affected component: npm install script in electerm. Impact stated: remote code execution with...

9.8CVSS5.8AI score0.01572EPSS
CVE
CVE
added 2026/05/08 2:58 a.m.20 views

CVE-2026-43940

CVE-2026-43940 affects the electerm client. The runWidget function in src/app/widgets/load-widget.js builds a file path by concatenating user‑supplied widget identifiers without sanitisation, and runWidget is exposed to the renderer via an asynchronous IPC handler with no input validation. This e...

8.4CVSS6.3AI score0.00167EPSS
CVE
CVE
added 2026/05/08 2:55 a.m.20 views

CVE-2026-43943

The CVE applies to electerm prior to version 3.7.9, where the SFTP open with system editor or Edit with custom editor feature passes the filename directly into a shell command without sanitization. A malicious SSH server or compromised OS can craft a filename containing shell metacharacters; when...

7.8CVSS6.3AI score0.00167EPSS