CVE-2026-43941

Critical

Published: 08 May 2026

Published

08 May 2026

Modified

08 May 2026

KEV Added

—

Patch

—

CVSS Score 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS Score 0.0005 15.5th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In versions 3.8.15 and prior, Electerm's terminal hyperlink handler passes any URL clicked in the terminal directly to shell.openExternal without any protocol validation. An attacker who controls terminal output (e.g., via a malicious SSH…

server, compromised remote host, or malicious plugin rendering terminal content) can thus achieve arbitrary code execution or local file access on the victim's machine, requiring only that the victim clicks a displayed link. At time of publication, there are no publicly available patches.

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

AT-2 Literacy Training and Awareness

addresses: CWE-601

Security awareness includes verifying URLs and avoiding untrusted redirects that lead to malicious sites.

SI-10 Information Input Validation

addresses: CWE-601

Validates redirect targets and URLs to ensure they conform to allowed destinations.

Security SummaryAI

Automated synthesis unavailable for this CVE.

Details

CWE(s): CWE-88 CWE-601

Affected Products

electerm project

electerm

≤ 3.8.15

References

https://github.com/electerm/electerm/security/advisories/GHSA-fwf6-j56g-m97c
Vendor Advisory, Mitigation · security-advisories@github.com