Critical severity9.1GHSA Advisory· Published May 28, 2026· Updated Jun 3, 2026
CVE-2026-45787
CVE-2026-45787
Description
electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to 3.9.5, deterministic AES-192-CBC with a fixed zero IV, constant KDF salt, and no MAC leads to confidentiality and integrity failures for synced bookmark/profile data. Attackers can crack common passwords across installs and perform undetected ciphertext bit-flips to alter config/bookmarks. This vulnerability is fixed in 3.9.5.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
electermnpm | < 3.9.5 | 3.9.5 |
Affected products
3Patches
Vulnerability mechanics
References
5- github.com/electerm/electerm/commit/9dd8295e37d53396b980cd45dfc5ed11ad79b937nvdPatchWEB
- github.com/electerm/electerm/security/advisories/GHSA-g29v-q6h7-76whnvdPatchVendor AdvisoryWEB
- github.com/advisories/GHSA-g29v-q6h7-76whghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-45787ghsaADVISORY
- github.com/electerm/electerm/releases/tag/v3.9.5ghsaWEB
News mentions
1- Electerm: Three Critical and Medium CVEs Disclosed — Weak Crypto and RCE via Imported BookmarksVypr Intelligence · May 28, 2026