CVE-2026-43940

HIGH

electerm: Path traversal in electerm runWidget leads to arbitrary code execution

Title source: cna

Description

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.7.16, the runWidget function in src/app/widgets/load-widget.js constructs a file path by directly concatenating user‑supplied widget identifiers without any sanitisation. Because runWidget is exposed to the renderer process via an asynchronous IPC handler with no input validation, an attacker who achieves JavaScript execution inside the renderer (for example, through a malicious plugin or a cross‑site scripting flaw in the built‑in webview) can abuse a path traversal (../) to load and execute an arbitrary JavaScript file anywhere on the victim’s filesystem. This gives the attacker local code execution with the full privileges of the electerm process, leading to complete system compromise. This issue has been patched in version 3.7.16.

References (2)

Core 2

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/electerm/electerm/security/advisories/GHSA-f77v-9vpc-6pjm

X_Refsource_Misc x_refsource_misc

https://github.com/electerm/electerm/releases/tag/v3.7.16

Scores

CVSS v3 8.4

EPSS 0.0004

EPSS Percentile 13.7%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-22 CWE-829

Status published

Products (3)

electerm/electerm < 3.7.16

electerm_project/electerm < 3.7.16

npm/electerm 0 - 3.7.16npm

Published May 08, 2026

Tracked Since May 08, 2026