Local code execution without UI interaction: any same-user process can send a JSON payload to electerm's single-instance socket/pipe, causing the app to create tabs and potentially spawn attacker-controlled local processes. Affects electerm single-instance installs on the machine.
{
"github_reviewed_at": "2026-05-14T20:29:59Z",
"nvd_published_at": null,
"github_reviewed": true,
"cwe_ids": [
"CWE-732",
"CWE-94",
"CWE-940"
],
"severity": "CRITICAL"
}