CVE-2026-45058
Deferred Deferred - Pending Action
Persistent Local-PTY Code Execution in Electerm

Publication date: 2026-05-28

Last updated on: 2026-06-01

Assigner: GitHub, Inc.

Description
electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In 3.8.8 and earlier, there is persistent local-pty code execution via imported bookmarks or compromised sync targets. Affects users who import bookmark JSON files or who have electerm sync configured (gist/WebDAV). The attacker can inject exec* fields or global config to cause remote code to run when a bookmark is opened or when sync is applied.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-06-01
Generated
2026-06-18
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-45058
EUVD
EUVD-2026-32961
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
electerm electerm to 3.8.8 (exc)
electerm electerm to 3.8.9 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-494 The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-915 The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

There is no specific information provided about detection methods or commands to identify this vulnerability on a network or system.

Compliance Impact

The vulnerability in electerm allows remote code execution through malicious bookmark imports or compromised sync targets, which can lead to unauthorized access and manipulation of system resources.

Such unauthorized code execution and potential data compromise can negatively impact the confidentiality, integrity, and availability of sensitive data, which are core principles in compliance frameworks like GDPR and HIPAA.

Therefore, exploitation of this vulnerability could result in non-compliance with these regulations due to failure to adequately protect sensitive information and maintain system security.

Executive Summary

CVE-2026-45058 is a critical vulnerability in the electerm application, versions 3.8.8 and earlier. It arises from unsafe handling of bookmark data imports, allowing attackers to inject malicious code through exec* fields or global configuration settings in bookmark JSON files or compromised sync targets like gist or WebDAV.

This injection leads to persistent local-pty code execution, meaning that when a user opens a malicious bookmark or when sync operations apply compromised data, remote code can be executed on the user's system.

Impact Analysis

This vulnerability can have severe impacts including unauthorized remote code execution on the affected system, which compromises confidentiality, integrity, and availability of the system.

  • Attackers can execute arbitrary code locally, potentially gaining control over the system.
  • It can lead to data breaches or system manipulation due to the high severity of the vulnerability.
  • Users who import untrusted bookmark data or use compromised sync targets are at risk.
Mitigation Strategies

To mitigate this vulnerability, users should avoid importing untrusted bookmark JSON files and refrain from using compromised sync targets such as gist or WebDAV.

Since no patches are currently available, the best immediate step is to ensure that only trusted bookmark data is imported and to disable or carefully monitor sync configurations to prevent remote code execution.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45058. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart