CVE Catalog

CVE-2026-43941

Critical
Published: Translated: NVD NIST

Summary

Electerm is a terminal client that in versions 3.8.15 and prior does not validate protocols for URLs clicked in the terminal. Attackers can exploit this to execute arbitrary code or access local files on the victim's machine if the victim clicks a displayed link.

Risk Assessment

The organization is at risk of malicious code execution and unauthorized access to local files, which can lead to serious security breaches.

Recommendation

It is recommended to update Electerm to the latest version as soon as it becomes available and to restrict terminal access from unknown or untrusted sources.

Original NVD description (English source)

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In versions 3.8.15 and prior, Electerm's terminal hyperlink handler passes any URL clicked in the terminal directly to shell.openExternal without any protocol validation. An attacker who controls terminal output (e.g., via a malicious SSH server, compromised remote host, or malicious plugin rendering terminal content) can thus achieve arbitrary code execution or local file access on the victim's machine, requiring only that the victim clicks a displayed link. At time of publication, there are no publicly available patches.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS