GHSA-mpm8-cx2p-626q

Suggest an improvement
Source
https://github.com/advisories/GHSA-mpm8-cx2p-626q
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-mpm8-cx2p-626q/GHSA-mpm8-cx2p-626q.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-mpm8-cx2p-626q
Aliases
  • CVE-2026-43944
Published
2026-05-08T18:46:04Z
Modified
2026-05-13T13:56:11.555899Z
Severity
  • 9.6 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
  • 9.4 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVSS Calculator
Summary
Electerm users can run dangrous code through link or command line
Details

Impact

Arbitrary local code execution via deep links, CLI --opts, or crafted shortcuts. Affected users: electerm installs that accept protocol URLs or CLI options (affected versions listed in the original report). Exploit requires clicking a crafted electerm://... link or opening a crafted shortcut/command that launches electerm with attacker-controlled opts.

Patches

Fixed in version > 3.8.8

commits:

  • https://github.com/electerm/electerm/commit/8a6a17951e96d715f5a231532bbd8303fe208700
  • https://github.com/electerm/electerm/commit/a79e06f4a1f0ac6376c3d2411ef4690fa0377742
  • https://github.com/electerm/electerm/commit/0599e67069b00e376a2e962649aaad6096e63507

Workarounds

  • Disable or unregister electerm protocol handlers (Deep Link settings) and avoid clicking electerm:// links.
  • Do not run electerm with untrusted --opts arguments or open .lnk / .desktop files from untrusted sources.
  • Restrict which users can launch electerm on shared machines and avoid leaving electerm installed in locations reachable by other users.
  • As a temporary measure, run electerm in a confined account or sandbox (non-admin user) to reduce impact.

References

  • Report / credit: https://github.com/Curly-Haired-Baboon
  • Electerm releases: https://github.com/electerm/electerm/releases
Database specific
{
    "github_reviewed_at": "2026-05-08T18:46:04Z",
    "nvd_published_at": "2026-05-08T04:16:24Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-20",
        "CWE-829",
        "CWE-94"
    ],
    "severity": "CRITICAL"
}
References

Affected packages

npm / electerm

Package

Affected ranges

Type
SEMVER
Events
Introduced
3.0.6
Fixed
3.8.8

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-mpm8-cx2p-626q/GHSA-mpm8-cx2p-626q.json"