logo

Database

Lack of data validation In electerm

Description

Electerm users can run dangrous code through link or command line

Impact

Arbitrary local code execution via deep links, CLI --opts, or crafted shortcuts. Affected users: electerm installs that accept protocol URLs or CLI options (affected versions listed in the original report). Exploit requires clicking a crafted electerm://... link or opening a crafted shortcut/command that launches electerm with attacker-controlled opts.

Patches

Fixed in version > 3.8.8

Commits:

Workarounds

    Disable or unregister electerm protocol handlers (Deep Link settings) and avoid clicking electerm:// links.

    Do not run electerm with untrusted --opts arguments or open .lnk / .desktop files from untrusted sources.

    Restrict which users can launch electerm on shared machines and avoid leaving electerm installed in locations reachable by other users.

    As a temporary measure, run electerm in a confined account or sandbox (non-admin user) to reduce impact.

Resources

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-439442. NVD-2026-439443. OSV-2026-439444. GHSA-mpm8-cx2p-626q5. GCVE-2026-43944

References

1. https://github.com/electerm/electerm/security/advisories/GHSA-mpm8-cx2p-626q2. https://github.com/electerm/electerm/commit/8a6a17951e96d715f5a231532bbd8303fe2087003. https://github.com/electerm/electerm/commit/a79e06f4a1f0ac6376c3d2411ef4690fa03777424. https://github.com/electerm/electerm/releases/tag/v3.8.15

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.