GHSA-q4p8-8j9m-8hxj

Suggest an improvement
Source
https://github.com/advisories/GHSA-q4p8-8j9m-8hxj
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-q4p8-8j9m-8hxj/GHSA-q4p8-8j9m-8hxj.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-q4p8-8j9m-8hxj
Aliases
  • CVE-2026-43943
Published
2026-05-08T18:43:52Z
Modified
2026-05-08T19:01:34.791095Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Electerm Security Vulnerability: RCE via malicious SSH server filename in openFileWithEditor
Details

Impact

A code execution (RCE) vulnerability exists in electerm's SFTP open with system editor or "Edit with custom editor" feature. When a user opts to edit a file using open with system editor or open with a custom editor, the filename is passed directly into a command line without sanitization.

A malicious actor controlling the SSH server or user OS can exploit this by crafting a filename containing shell metacharacters. If a victim subsequently attempts to edit this file, the injected commands are executed on their machine with the user's privileges. This could allow the attacker to run arbitrary code, install malware, or move laterally within the network.

<img width="1792" height="817" alt="1" src="https://github.com/user-attachments/assets/ddf78890-e95d-4fe7-981e-f86887677e8b" /> <img width="1648" height="941" alt="2" src="https://github.com/user-attachments/assets/cca2295b-2053-4d99-a464-be51eac2f5be" />

Patches

Fixed in version >= 3.7.9

  • https://github.com/electerm/electerm/commit/24ce7103e264cffe6eb5476c0506a2379e6f8333

Workarounds

Until a patch is available, it is strongly recommended to:
- Refrain from using the open with system editor or "Edit with custom editor" feature when connected to untrusted or unfamiliar SSH servers.
- Consider using the built-in editor for viewing files, as this path may not be vulnerable to the same injection.
- If the feature must be used, ensure connections are exclusively established with trusted servers and perform rigorous filename validation before editing.

Resources

Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-08T18:43:52Z",
    "cwe_ids": [
        "CWE-78",
        "CWE-88"
    ],
    "severity": "HIGH",
    "nvd_published_at": "2026-05-08T04:16:23Z"
}
References

Affected packages

npm / electerm

Package

Name
electerm
View open source insights on deps.dev
Purl
pkg:npm/electerm

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.7.9

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-q4p8-8j9m-8hxj/GHSA-q4p8-8j9m-8hxj.json"
last_known_affected_version_range 
"<= 3.7.8"