Electerm

Electerm is vulnerable to remote code execution (CVE-2026-45058) via maliciously crafted bookmark files or compromised sync targets, allowing attackers to inject arbitrary commands when a bookmark is opened or when a sync operation is performed.

Electerm versions 3.0.6 through 3.8.14 are vulnerable to arbitrary local code execution via crafted electerm:// URIs or command-line arguments, requiring a user to click a malicious link or open a malicious shortcut file.

A remote code execution vulnerability exists in Electerm versions 3.7.8 and earlier, where a malicious SSH server can inject arbitrary commands into a victim's system by crafting filenames with shell metacharacters that are executed when the user attempts to open or edit the file using the 'open with system editor' or 'edit with custom editor' feature.

Electerm versions prior to 3.7.16 are vulnerable to path traversal, leading to arbitrary code execution through unsanitized widget identifiers.

A command injection vulnerability exists in electerm's install.js due to insufficient validation in the runLinux() function, allowing attackers to execute arbitrary commands by manipulating remote release metadata.