CVE-2026-43941 - Vulnerability Details

Description

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In versions 3.8.15 and prior, Electerm's terminal hyperlink handler passes any URL clicked in the terminal directly to shell.openExternal without any protocol validation. An attacker who controls terminal output (e.g., via a malicious SSH server, compromised remote host, or malicious plugin rendering terminal content) can thus achieve arbitrary code execution or local file access on the victim's machine, requiring only that the victim clicks a displayed link. At time of publication, there are no publicly available patches.

Published: 2026-05-08

Score: 9.6 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Electerm versions 3.8.15 and earlier allow any URL clicked in the terminal to be passed directly to Electron’s shell.openExternal without validation. This flaw enables an attacker who can control terminal output—such as a compromised SSH server, malicious remote host, or plugin—to induce arbitrary local code execution or file access simply by prompting the user to click a link. The weakness aligns with CWE-601 (Open Redirect) and CWE-88 (shell.openExternal security flaw), underscoring its potential for local privilege escalation and data exposure.

Affected Systems

The affected product is electerm, an open‑source terminal client supporting SSH, SFTP, telnet, serial, RDP, VNC, Spice, and FTP. All releases up to and including version 3.8.15 are vulnerable. No other vendors or product variants are listed.

Risk and Exploitability

With a CVSS score of 9.6, this vulnerability represents a severe risk. The EPSS score is not available, but the lack of a public patch and the requirement for user interaction (clicking a link) suggest that exploitation is plausible in environments where users accept unverified terminal output. The vulnerability is not listed in CISA’s KEV catalog, but its high severity warrants immediate attention. Attackers with control over terminal content can launch exploitation without additional network access, making the threat practical in malicious or compromised SSH sessions.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

electerm

affected

Version	Status	Constraints
`<= 3.8.15`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Disable hyperlink handling in Electerm terminal settings to prevent shell.openExternal from being invoked.
Update Electerm to the latest release (once a patch is available) and monitor the project’s issue tracker for a fix.
Enforce a strict URL whitelist in the terminal or use an external security monitor to detect and block suspicious external link clicks.

Generated by OpenCVE AI on May 8, 2026 at 05:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0005.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/electerm/electerm/security/advisories/GHSA-fwf6-j56g-m97c

History

Fri, 08 May 2026 04:00:00 +0000

Type	Values Removed	Values Added
Description		electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In versions 3.8.15 and prior, Electerm's terminal hyperlink handler passes any URL clicked in the terminal directly to shell.openExternal without any protocol validation. An attacker who controls terminal output (e.g., via a malicious SSH server, compromised remote host, or malicious plugin rendering terminal content) can thus achieve arbitrary code execution or local file access on the victim's machine, requiring only that the victim clicks a displayed link. At time of publication, there are no publicly available patches.
Title		Unvalidated shell.openExternal in electerm allows arbitrary protocol execution via terminal link click
Weaknesses		CWE-601 CWE-88
References		https://github.com/electerm/electerm/security/advisories/GHSA-fwf6-j56g-m97c
Metrics		cvssV3_1 `{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-08T03:01:12.461Z

Updated: 2026-05-08T03:01:12.461Z

Reserved: 2026-05-04T16:59:09.090Z

Link: CVE-2026-43941

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-08T04:16:23.260

Modified: 2026-05-08T04:16:23.260

Link: CVE-2026-43941

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-08T05:30:46Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object