Arbitrary local code execution via deep links, CLI --opts, or crafted shortcuts. Affected users: electerm installs that accept protocol URLs or CLI options (affected versions listed in the original report). Exploit requires clicking a crafted electerm://... link or opening a crafted shortcut/command that launches electerm with attacker-controlled opts.
Fixed in version > 3.8.8
commits:
electerm:// links.--opts arguments or open .lnk / .desktop files from untrusted sources.{
"github_reviewed_at": "2026-05-08T18:46:04Z",
"nvd_published_at": "2026-05-08T04:16:24Z",
"github_reviewed": true,
"cwe_ids": [
"CWE-20",
"CWE-829",
"CWE-94"
],
"severity": "CRITICAL"
}