CVE-2026-43940
Path Traversal in Electerm Terminal Client
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| electerm_project | electerm | to 3.7.16 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
| CWE-829 | The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There is no specific information provided about detection methods or commands to identify this vulnerability on a network or system.
Can you explain this vulnerability to me?
CVE-2026-43940 is a high-severity vulnerability in the electerm application affecting versions 3.7.9 and earlier.
The issue involves a path traversal flaw in the runWidget function located in src/app/widgets/load-widget.js. This function constructs a file path by directly concatenating user-supplied widget identifiers without sanitization.
Because runWidget is exposed to the renderer process via an asynchronous IPC handler with no input validation, an attacker who achieves JavaScript execution inside the renderer (for example, through a malicious plugin or a cross-site scripting flaw in the built-in webview) can abuse a path traversal (../) to load and execute an arbitrary JavaScript file anywhere on the victimβs filesystem.
This allows the attacker to execute code locally with the full privileges of the electerm process, leading to complete system compromise.
The vulnerability has been patched in version 3.7.16 and later.
How can this vulnerability impact me? :
An attacker who exploits this vulnerability can achieve local code execution with the full privileges of the electerm process.
This can lead to complete system compromise, allowing the attacker to load and execute arbitrary JavaScript files anywhere on the victimβs filesystem.
Because the attack requires JavaScript execution inside the renderer process, it can be triggered through malicious plugins or cross-site scripting flaws in the embedded webview.
Until patched, users are advised not to install untrusted plugins, avoid loading arbitrary web content in the embedded webview, and run electerm in a sandboxed environment to mitigate potential impacts.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability until you can upgrade to version 3.7.16 or later, you should avoid installing untrusted plugins and avoid loading arbitrary web content in the embedded webview.
Additionally, running electerm in a sandboxed environment can help reduce the potential impact of exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.