Vulnerability Description
electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.7.16, the runWidget function in src/app/widgets/load-widget.js constructs a file path by directly concatenating user‑supplied widget identifiers without any sanitisation. Because runWidget is exposed to the renderer process via an asynchronous IPC handler with no input validation, an attacker who achieves JavaScript execution inside the renderer (for example, through a malicious plugin or a cross‑site scripting flaw in the built‑in webview) can abuse a path traversal (../) to load and execute an arbitrary JavaScript file anywhere on the victim’s filesystem. This gives the attacker local code execution with the full privileges of the electerm process, leading to complete system compromise. This issue has been patched in version 3.7.16.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Electerm Project | Electerm | < 3.7.16 |
Related Weaknesses (CWE)
References
- https://github.com/electerm/electerm/releases/tag/v3.7.16Release Notes
- https://github.com/electerm/electerm/security/advisories/GHSA-f77v-9vpc-6pjmVendor AdvisoryMitigation
FAQ
What is CVE-2026-43940?
CVE-2026-43940 is a vulnerability with a CVSS score of 8.4 (HIGH). electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.7.16, the runWidget function in src/app/widgets/load-widget.js constructs a file path by di...
How severe is CVE-2026-43940?
CVE-2026-43940 has been rated HIGH with a CVSS base score of 8.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-43940?
Check the references section above for vendor advisories and patch information. Affected products include: Electerm Project Electerm.