Description
electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.7.16, the runWidget function in src/app/widgets/load-widget.js constructs a file path by directly concatenating user‑supplied widget identifiers without any sanitisation. Because runWidget is exposed to the renderer process via an asynchronous IPC handler with no input validation, an attacker who achieves JavaScript execution inside the renderer (for example, through a malicious plugin or a cross‑site scripting flaw in the built‑in webview) can abuse a path traversal (../) to load and execute an arbitrary JavaScript file anywhere on the victim’s filesystem. This gives the attacker local code execution with the full privileges of the electerm process, leading to complete system compromise. This issue has been patched in version 3.7.16.
Published: 2026-05-08
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a path traversal flaw in electerm’s runWidget function, which concatenates user‐supplied widget identifiers into a file path without sanitization. When runWidget is invoked through an IPC handler that exposes the renderer process to unchecked input, an attacker who can obtain JavaScript execution inside that process (e.g., via a malicious plugin or an XSS bug in the built‑in webview) can manipulate the path string to reference any file on the victim’s filesystem. The renderer can then load and execute the arbitrary JavaScript file, granting the attacker the full privileges of the electerm process and effectively compromising the entire system.

Affected Systems

The flaw affects versions of electerm released before 3.7.16. All users running electerm:electerm with a widget loader that relies on runWidget without input validation are vulnerable. The product is an open‑source terminal, SSH, SFTP, telnet, serial port, RDP, VNC, Spice, and FTP client.

Risk and Exploitability

The CVSS score of 8.4 indicates a high severity. No EPSS score is available, so current exploit probability is unclear, and the flaw is not listed in CISA’s KEV catalog. Exploitation requires the attacker to first achieve JavaScript execution inside the renderer process, which can be achieved through a malicious plugin or an XSS vulnerability in the embedded webview. Once this prerequisite is met, the path traversal can be exploited to load and run arbitrary code, leading to local code execution with electerm’s process privileges.

Generated by OpenCVE AI on May 8, 2026 at 05:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to electerm release 3.7.16 or later to apply the vendor fix.
  • Disable or remove untrusted plugins and restrict plugin execution to prevent JavaScript injection into the renderer.
  • Enforce context isolation and disable Node.js integration in the renderer to reduce the risk of arbitrary script execution.
  • Consider running electerm in a sandboxed environment or with reduced filesystem permissions to limit the impact of potential code execution.

Generated by OpenCVE AI on May 8, 2026 at 05:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 08 May 2026 04:00:00 +0000

Type Values Removed Values Added
Description electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.7.16, the runWidget function in src/app/widgets/load-widget.js constructs a file path by directly concatenating user‑supplied widget identifiers without any sanitisation. Because runWidget is exposed to the renderer process via an asynchronous IPC handler with no input validation, an attacker who achieves JavaScript execution inside the renderer (for example, through a malicious plugin or a cross‑site scripting flaw in the built‑in webview) can abuse a path traversal (../) to load and execute an arbitrary JavaScript file anywhere on the victim’s filesystem. This gives the attacker local code execution with the full privileges of the electerm process, leading to complete system compromise. This issue has been patched in version 3.7.16.
Title electerm: Path traversal in electerm runWidget leads to arbitrary code execution
Weaknesses CWE-22
CWE-829
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T12:52:47.567Z

Reserved: 2026-05-04T16:59:09.089Z

Link: CVE-2026-43940

cve-icon Vulnrichment

Updated: 2026-05-08T12:52:43.836Z

cve-icon NVD

Status : Received

Published: 2026-05-08T04:16:23.023

Modified: 2026-05-08T04:16:23.023

Link: CVE-2026-43940

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T05:30:46Z

Weaknesses