CVE-2026-43941

CRITICAL 9.6

Unvalidated shell.openExternal in electerm allows arbitrary protocol execution via terminal link click

CVSS Score

9.6

EPSS Score

0.1%

EPSS Percentile

15th

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In versions 3.8.15 and prior, Electerm's terminal hyperlink handler passes any URL clicked in the terminal directly to shell.openExternal without any protocol validation. An attacker who controls terminal output (e.g., via a malicious SSH server, compromised remote host, or malicious plugin rendering terminal content) can thus achieve arbitrary code execution or local file access on the victim's machine, requiring only that the victim clicks a displayed link. At time of publication, there are no publicly available patches.

CWE	CWE-88 CWE-601
Vendor	electerm
Product	electerm
Published	May 8, 2026
Last Updated	May 8, 2026

Stay Ahead of the Next One

Get instant alerts for electerm electerm

Be the first to know when new critical vulnerabilities affecting electerm electerm are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

electerm / electerm

<= 3.8.15

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/electerm/electerm/security/advisories/GHSA-fwf6-j56g-m97c