CVE-2026-43944

Summary

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. From versions 3.0.6 to before 3.8.15, electerm is vulnerable to arbitrary local code execution via deep links, CLI –opts, or crafted shortcuts. Exploit requires clicking a crafted electerm://… link or opening a crafted shortcut/command that launches electerm with attacker-controlled opts. This issue has been patched in version 3.8.15.

Affected Software

VendorProductVersion RangeStatus
electermelecterm>= 3.0.6, < 3.8.15affected

Weaknesses

  • CWE-20: CWE-20: Improper Input Validation
  • CWE-94: CWE-94: Improper Control of Generation of Code ('Code Injection')
  • CWE-829: CWE-829: Inclusion of Functionality from Untrusted Control Sphere

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References