CVE-2026-43941
Analyzed Analyzed - Analysis Complete
Electerm Terminal Hyperlink Arbitrary Code Execution

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In versions 3.8.15 and prior, Electerm's terminal hyperlink handler passes any URL clicked in the terminal directly to shell.openExternal without any protocol validation. An attacker who controls terminal output (e.g., via a malicious SSH server, compromised remote host, or malicious plugin rendering terminal content) can thus achieve arbitrary code execution or local file access on the victim's machine, requiring only that the victim clicks a displayed link. At time of publication, there are no publicly available patches.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-43941
EUVD
EUVD-2026-28513
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
electerm_project electerm to 3.8.15 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-88 The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-43941 is a critical vulnerability in the electerm application where the terminal hyperlink handler passes any clicked URL directly to shell.openExternal without validating the protocol.

This flaw allows an attacker who controls terminal output (for example, via a malicious SSH server, compromised remote host, or malicious plugin) to craft a URI that, when clicked by the victim, can execute arbitrary protocols.

By exploiting this, the attacker can trigger dangerous handlers to achieve arbitrary code execution or local file access on the victim's machine, requiring only that the victim clicks a displayed link.

There are no official patches available at the time of publication.

Impact Analysis

This vulnerability can lead to arbitrary code execution or local file access on your machine if you click a malicious link displayed in the electerm terminal.

  • An attacker controlling terminal output can execute harmful protocols that may launch applications, access local files, or leak sensitive data such as NTLM hashes.
  • It can result in significant confidentiality, integrity, and availability impacts due to the ability to run arbitrary code or access local resources.

Because exploitation requires only user interaction (clicking a link), the risk is high especially in untrusted terminal sessions.

Detection Guidance

This vulnerability involves the electerm terminal hyperlink handler passing clicked URLs directly to shell.openExternal without protocol validation. Detection focuses on monitoring or identifying suspicious URLs being clicked within electerm terminal sessions.

Since exploitation requires user interaction (clicking a link), detection can include auditing terminal output for unexpected or suspicious hyperlinks, especially those using unusual or dangerous URI schemes such as ms-msdt:, search-ms:, or custom URI schemes.

There are no specific commands provided to detect this vulnerability directly on the network or system.

Users should monitor terminal logs or session outputs for unexpected hyperlinks and avoid clicking links from untrusted sources.

Mitigation Strategies

Immediate mitigation steps include avoiding clicking any links displayed in electerm terminal sessions, especially from untrusted or unknown sources.

Users are advised to disable hyperlink rendering in electerm settings to prevent clickable links from appearing in the terminal.

Alternatively, use other terminal applications such as tmux that do not have this vulnerability.

Running electerm in a restricted environment or sandbox can also help limit the impact of potential exploitation.

At the time of publication, no official patches are available, so these workarounds are critical to reduce risk.

Compliance Impact

The vulnerability allows an attacker to execute arbitrary code or access local files on the victim's machine by tricking the user into clicking a malicious link in the terminal. This can lead to unauthorized access to sensitive data, potential data leakage, and compromise of system integrity.

Such unauthorized access and potential data exfiltration could result in non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.

Because the vulnerability enables attackers to leak NTLM hashes and exfiltrate data, organizations using affected versions of electerm may face increased risk of violating confidentiality and integrity requirements mandated by these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43941. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart