Description
electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In versions 3.8.15 and prior, Electerm's terminal hyperlink handler passes any URL clicked in the terminal directly to shell.openExternal without any protocol validation. An attacker who controls terminal output (e.g., via a malicious SSH server, compromised remote host, or malicious plugin rendering terminal content) can thus achieve arbitrary code execution or local file access on the victim's machine, requiring only that the victim clicks a displayed link. At time of publication, there are no publicly available patches.
Published: 2026-05-08
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Electerm versions 3.8.15 and earlier allow any URL clicked in the terminal to be passed directly to Electron’s shell.openExternal without validation. This flaw enables an attacker who can control terminal output—such as a compromised SSH server, malicious remote host, or plugin—to induce arbitrary local code execution or file access simply by prompting the user to click a link. The weakness aligns with CWE-601 (Open Redirect) and CWE-88 (shell.openExternal security flaw), underscoring its potential for local privilege escalation and data exposure.

Affected Systems

The affected product is electerm, an open‑source terminal client supporting SSH, SFTP, telnet, serial, RDP, VNC, Spice, and FTP. All releases up to and including version 3.8.15 are vulnerable. No other vendors or product variants are listed.

Risk and Exploitability

With a CVSS score of 9.6, this vulnerability represents a severe risk. The EPSS score is not available, but the lack of a public patch and the requirement for user interaction (clicking a link) suggest that exploitation is plausible in environments where users accept unverified terminal output. The vulnerability is not listed in CISA’s KEV catalog, but its high severity warrants immediate attention. Attackers with control over terminal content can launch exploitation without additional network access, making the threat practical in malicious or compromised SSH sessions.

Generated by OpenCVE AI on May 8, 2026 at 05:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable hyperlink handling in Electerm terminal settings to prevent shell.openExternal from being invoked.
  • Update Electerm to the latest release (once a patch is available) and monitor the project’s issue tracker for a fix.
  • Enforce a strict URL whitelist in the terminal or use an external security monitor to detect and block suspicious external link clicks.

Generated by OpenCVE AI on May 8, 2026 at 05:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fwf6-j56g-m97c Electerm has an unvalidated shell.openExternal that allows arbitrary protocol execution via terminal link click
History

Mon, 11 May 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Electerm
Electerm electerm
Vendors & Products Electerm
Electerm electerm

Fri, 08 May 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 08 May 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Electerm Project
Electerm Project electerm
CPEs cpe:2.3:a:electerm_project:electerm:*:*:*:*:*:*:*:*
Vendors & Products Electerm Project
Electerm Project electerm

Fri, 08 May 2026 04:00:00 +0000

Type Values Removed Values Added
Description electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In versions 3.8.15 and prior, Electerm's terminal hyperlink handler passes any URL clicked in the terminal directly to shell.openExternal without any protocol validation. An attacker who controls terminal output (e.g., via a malicious SSH server, compromised remote host, or malicious plugin rendering terminal content) can thus achieve arbitrary code execution or local file access on the victim's machine, requiring only that the victim clicks a displayed link. At time of publication, there are no publicly available patches.
Title Unvalidated shell.openExternal in electerm allows arbitrary protocol execution via terminal link click
Weaknesses CWE-601
CWE-88
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Electerm Electerm
Electerm Project Electerm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T21:28:44.766Z

Reserved: 2026-05-04T16:59:09.090Z

Link: CVE-2026-43941

cve-icon Vulnrichment

Updated: 2026-05-08T14:34:52.110Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T04:16:23.260

Modified: 2026-05-08T19:17:30.757

Link: CVE-2026-43941

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T16:11:13Z

Weaknesses