CVE-2026-43940
Analyzed Analyzed - Analysis Complete
Path Traversal in Electerm Terminal Client

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.7.16, the runWidget function in src/app/widgets/load-widget.js constructs a file path by directly concatenating user‑supplied widget identifiers without any sanitisation. Because runWidget is exposed to the renderer process via an asynchronous IPC handler with no input validation, an attacker who achieves JavaScript execution inside the renderer (for example, through a malicious plugin or a cross‑site scripting flaw in the built‑in webview) can abuse a path traversal (../) to load and execute an arbitrary JavaScript file anywhere on the victim’s filesystem. This gives the attacker local code execution with the full privileges of the electerm process, leading to complete system compromise. This issue has been patched in version 3.7.16.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-43940
EUVD
EUVD-2026-28512
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
electerm_project electerm to 3.7.16 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-829 The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

There is no specific information provided about detection methods or commands to identify this vulnerability on a network or system.

Executive Summary

CVE-2026-43940 is a high-severity vulnerability in the electerm application affecting versions 3.7.9 and earlier.

The issue involves a path traversal flaw in the runWidget function located in src/app/widgets/load-widget.js. This function constructs a file path by directly concatenating user-supplied widget identifiers without sanitization.

Because runWidget is exposed to the renderer process via an asynchronous IPC handler with no input validation, an attacker who achieves JavaScript execution inside the renderer (for example, through a malicious plugin or a cross-site scripting flaw in the built-in webview) can abuse a path traversal (../) to load and execute an arbitrary JavaScript file anywhere on the victim’s filesystem.

This allows the attacker to execute code locally with the full privileges of the electerm process, leading to complete system compromise.

The vulnerability has been patched in version 3.7.16 and later.

Impact Analysis

An attacker who exploits this vulnerability can achieve local code execution with the full privileges of the electerm process.

This can lead to complete system compromise, allowing the attacker to load and execute arbitrary JavaScript files anywhere on the victim’s filesystem.

Because the attack requires JavaScript execution inside the renderer process, it can be triggered through malicious plugins or cross-site scripting flaws in the embedded webview.

Until patched, users are advised not to install untrusted plugins, avoid loading arbitrary web content in the embedded webview, and run electerm in a sandboxed environment to mitigate potential impacts.

Mitigation Strategies

To mitigate this vulnerability until you can upgrade to version 3.7.16 or later, you should avoid installing untrusted plugins and avoid loading arbitrary web content in the embedded webview.

Additionally, running electerm in a sandboxed environment can help reduce the potential impact of exploitation.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43940. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart