VYPR

npm package

electerm

pkg:npm/electerm

Vulnerabilities (10)

  • CVE-2026-45787May 14, 2026
    affected < 3.9.5fixed 3.9.5

    ### Impact _Insecure sync encryption: deterministic AES-192-CBC with a fixed zero IV, constant KDF salt, and no MAC leads to confidentiality and integrity failures for synced bookmark/profile data. Attackers can crack common passwords across installs and perform undetected cipher

  • CVE-2026-45353criMay 14, 2026
    affected >= 3.0.6, < 3.9.0fixed 3.9.0

    ### Impact _Local code execution without UI interaction: any same-user process can send a JSON payload to electerm's single-instance socket/pipe, causing the app to create tabs and potentially spawn attacker-controlled local processes. Affects electerm single-instance installs on

  • CVE-2026-45058criMay 14, 2026
    affected <= 3.8.8

    ### Impact _Persistent local-pty code execution via imported bookmarks or compromised sync targets. Affects users who import bookmark JSON files or who have electerm sync configured (gist/WebDAV). The attacker can inject `exec*` fields or global config to cause remote code to run

  • CVE-2026-43944CriMay 8, 2026
    affected >= 3.0.6, < 3.8.8fixed 3.8.8

    electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. From versions 3.0.6 to before 3.8.15, electerm is vulnerable to arbitrary local code execution via deep links, CLI --opts, or crafted shortcuts. Exploit requires clicking a crafted electerm:

  • CVE-2026-43943HigMay 8, 2026
    affected < 3.7.9fixed 3.7.9

    electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.7.9, a code execution (RCE) vulnerability exists in electerm's SFTP open with system editor or "Edit with custom editor" feature. When a user opts to edit a file using ope

  • CVE-2026-43942MedMay 8, 2026
    affected <= 3.8.15

    electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In versions 3.8.15 and prior, the getConstants() IPC handler in src/app/lib/ipc-sync.js serialises the entire process.env object and sends it to the renderer. The data is stored as window.pr

  • CVE-2026-43941CriMay 8, 2026
    affected <= 3.8.15

    electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In versions 3.8.15 and prior, Electerm's terminal hyperlink handler passes any URL clicked in the terminal directly to shell.openExternal without any protocol validation. An attacker who con

  • CVE-2026-43940HigMay 8, 2026
    affected < 3.7.16fixed 3.7.16

    electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.7.16, the runWidget function in src/app/widgets/load-widget.js constructs a file path by directly concatenating user‑supplied widget identifiers without any sanitisation.

  • CVE-2026-41501CriMay 8, 2026
    affected < 3.3.8fixed 3.3.8

    electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.3.8, a command injection vulnerability exists in github.com/elcterm/electerm/npm/install.js:130. The runLinux() function appends attacker-controlled remote version strings

  • CVE-2026-41500CriMay 8, 2026
    affected < 3.3.8fixed 3.3.8

    electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.3.8, a command injection vulnerability exists in github.com/elcterm/electerm/npm/install.js:150. The runMac() function appends attacker-controlled remote releaseInfo.name