CVE-2026-43940HIGH 8.4EPSS p6.2%

CVE-2026-43940CVE-2026-43940

Description

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.7.16, the runWidget function in src/app/widgets/load-widget.js constructs a file path by directly concatenating user‑supplied widget identifiers without any sanitisation. Because runWidget is exposed to the renderer process via an asynchronous IPC handler with no input validation, an attacker who achieves JavaScript execution inside the renderer (for example, through a malicious plugin or a cross‑site scripting flaw in the built‑in webview) can abuse a path traversal (../) to load and execute an arbitrary JavaScript file anywhere on the victim’s filesystem. This gives the attacker local code execution with the full privileges of the electerm process, leading to complete system compromise. This issue has been patched in version 3.7.16.

Scoring

CVSS 3.18.4 (HIGH)
VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.17% probability of exploitation · percentile 6.2% · 2026-06-19T12:03:05Z
Published2026-05-08
Last modified2026-05-08

Underlying weaknesses· 2

CWE-22CWE-829

References

  1. https://github.com/electerm/electerm/releases/tag/v3.7.16
  2. https://github.com/electerm/electerm/security/advisories/GHSA-f77v-9vpc-6pjm

2

TypeTargetConfidenceTier
WeaknessImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')cwe-220%live
WeaknessInclusion of Functionality from Untrusted Control Spherecwe-8290%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-43944
CVE
CVE-2026-43941
CVE
CVE-2026-45353
CVE
CVE-2026-41501
CVE
CVE-2026-45058
CVE
CVE-2026-41500
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.