VYPR
Critical severity9.1GHSA Advisory· Published May 28, 2026· Updated Jun 3, 2026

CVE-2026-45787

CVE-2026-45787

Description

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to 3.9.5, deterministic AES-192-CBC with a fixed zero IV, constant KDF salt, and no MAC leads to confidentiality and integrity failures for synced bookmark/profile data. Attackers can crack common passwords across installs and perform undetected ciphertext bit-flips to alter config/bookmarks. This vulnerability is fixed in 3.9.5.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
electermnpm
< 3.9.53.9.5

Affected products

3
  • Electerm/ElectermGHSA2 versions
    < 3.9.5+ 1 more
    • (no CPE)range: < 3.9.5
    • cpe:2.3:a:electerm_project:electerm:*:*:*:*:*:*:*:*range: <3.9.5
  • ghsa-coords
    Range: < 3.9.5

Patches

Vulnerability mechanics

References

5

News mentions

1