CVE-2026-43940

HIGH 8.4

electerm: Path traversal in electerm runWidget leads to arbitrary code execution

CVSS Score

8.4

EPSS Score

0.0%

EPSS Percentile

0th

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.7.16, the runWidget function in src/app/widgets/load-widget.js constructs a file path by directly concatenating user‑supplied widget identifiers without any sanitisation. Because runWidget is exposed to the renderer process via an asynchronous IPC handler with no input validation, an attacker who achieves JavaScript execution inside the renderer (for example, through a malicious plugin or a cross‑site scripting flaw in the built‑in webview) can abuse a path traversal (../) to load and execute an arbitrary JavaScript file anywhere on the victim’s filesystem. This gives the attacker local code execution with the full privileges of the electerm process, leading to complete system compromise. This issue has been patched in version 3.7.16.

CWE	CWE-22 CWE-829
Vendor	electerm
Product	electerm
Published	May 8, 2026
Last Updated	May 8, 2026

Stay Ahead of the Next One

Get instant alerts for electerm electerm

Be the first to know when new high vulnerabilities affecting electerm electerm are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

electerm / electerm

< 3.7.16

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/electerm/electerm/security/advisories/GHSA-f77v-9vpc-6pjm github.com: https://github.com/electerm/electerm/releases/tag/v3.7.16