GHSA-7p5m-v798-f8vv

Suggest an improvement
Source
https://github.com/advisories/GHSA-7p5m-v798-f8vv
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-7p5m-v798-f8vv/GHSA-7p5m-v798-f8vv.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-7p5m-v798-f8vv
Aliases
  • CVE-2026-45353
Published
2026-05-14T20:29:59Z
Modified
2026-05-14T20:49:37.796441Z
Severity
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVSS Calculator
Summary
Electerm Local code through electerm's single-instance socket
Details

Impact

Local code execution without UI interaction: any same-user process can send a JSON payload to electerm's single-instance socket/pipe, causing the app to create tabs and potentially spawn attacker-controlled local processes. Affects electerm single-instance installs on the machine.

Patches

  • https://github.com/electerm/electerm/commit/0599e67069b00e376a2e962649aaad6096e63507

Workarounds

  • Do not run unsafe command

References

  • Report / credit: https://github.com/Curly-Haired-Baboon
  • Electerm releases: https://github.com/electerm/electerm/releases
Database specific
{
    "github_reviewed_at": "2026-05-14T20:29:59Z",
    "nvd_published_at": null,
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-732",
        "CWE-94",
        "CWE-940"
    ],
    "severity": "CRITICAL"
}
References

Affected packages

npm / electerm

Package

Affected ranges

Type
SEMVER
Events
Introduced
3.0.6
Fixed
3.9.0

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-7p5m-v798-f8vv/GHSA-7p5m-v798-f8vv.json"
last_known_affected_version_range
"<= 3.8.8"