Description
electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. From versions 3.0.6 to before 3.8.15, electerm is vulnerable to arbitrary local code execution via deep links, CLI --opts, or crafted shortcuts. Exploit requires clicking a crafted electerm://... link or opening a crafted shortcut/command that launches electerm with attacker-controlled opts. This issue has been patched in version 3.8.15.
Published: 2026-05-08
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The electerm terminal client has a flaw that allows an attacker to trigger arbitrary code execution on the host machine via specially constructed deep links, command-line options, or malicious shortcuts. The flaw arises when electerm blindly interprets and evaluates user‑supplied arguments, leading to injection and execution of arbitrary code. Attackers can exploit this to run commands or scripts with the privileges of the user running electerm, potentially compromising all local data and system integrity. The weakness is rooted in improper input validation and unsafe handling of options, corresponding to CWE‑20, and unsanitized command execution, CWE‑94.

Affected Systems

Electerm, versions 3.0.6 through 3.8.14, is affected. The product is an open-source terminal/SSH/SFTP/… client. Users of electerm 3.8.15 or later are not impacted.

Risk and Exploitability

The CVSS score of 9.4 indicates a critical vulnerability. Though the EPSS score is not available, any user who clicks a malicious electerm:// link or launches electerm with crafted –‑opts could trigger the flaw. The vulnerability is not listed in the CISA KEV catalog. Attackers would need local access or the ability to trick a user into opening a crafted link or running a malicious shortcut. Given the severity, organizations should treat this as high risk for any systems running the affected electerm versions.

Generated by OpenCVE AI on May 8, 2026 at 05:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade electerm to version 3.8.15 or later, which includes the fix for the code execution bug.
  • Verify that any installed shortcuts or link handlers that launch electerm with custom options are revoked or sanitized; remove untrusted shortcuts.
  • Disable or restrict electerm’s ability to handle deep links if possible, or avoid opening links from untrusted sources.

Generated by OpenCVE AI on May 8, 2026 at 05:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 04:00:00 +0000

Type Values Removed Values Added
Description electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. From versions 3.0.6 to before 3.8.15, electerm is vulnerable to arbitrary local code execution via deep links, CLI --opts, or crafted shortcuts. Exploit requires clicking a crafted electerm://... link or opening a crafted shortcut/command that launches electerm with attacker-controlled opts. This issue has been patched in version 3.8.15.
Title electerm: dangerous code can be run through links or command line
Weaknesses CWE-20
CWE-829
CWE-94
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T03:08:09.046Z

Reserved: 2026-05-04T16:59:09.090Z

Link: CVE-2026-43944

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T04:16:24.033

Modified: 2026-05-08T04:16:24.033

Link: CVE-2026-43944

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T05:30:46Z

Weaknesses