CRITICAL🇵🇱 Wersja polska

CVE-2026-43941

CVSS 9.6v3.1pub. 2026-05-08

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In versions 3.8.15 and prior, Electerm's terminal hyperlink handler passes any URL clicked in the terminal directly to shell.openExternal without any protocol validation. An attacker who controls terminal output (e.g., via a malicious SSH server, compromised remote host, or malicious plugin rendering terminal content) can thus achieve arbitrary code execution or local file access on the victim's machine, requiring only that the victim clicks a displayed link. At time of publication, there are no publicly available patches.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
  • Electerm Project Electerm

    APP
    Electerm Project
    ≤ 3.8.15
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2026-45353CRITICAL9.3PL ✓ten sam produkt

Krytyczna podatność w kliencie electerm (wersje 3.0.6–3.8.8)

CVE-2026-41500CRITICAL9.8PL ✓ten sam produkt

Command injection w electerm — wykonanie kodu przez złośliwe releaseInfo.name

CVE-2026-43944CRITICAL9.4PL ✓ten sam produkt

RCE w electerm — wykonanie kodu przez deep links i spreparowane skróty

CVE-2026-41501CRITICAL9.8PL ✓ten sam produkt

Command injection w Electerm — wstrzyknięcie polecenia przez zdalny ciąg wersji

CVE-2020-23256CRITICAL9.8ten sam produkt

An issue was discovered in Electerm 1.3.22, allows attackers to execute arbitrary code via unverified request ...