{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/terminal-emulator/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["electerm (\u003c= 3.11.0)"],"_cs_severities":["high"],"_cs_tags":["path-traversal","vulnerability","client-side","terminal-emulator","file-transfer"],"_cs_type":"advisory","_cs_vendors":["electerm"],"content_html":"\u003cp\u003eA significant path traversal vulnerability, tracked as CVE-2026-49253, has been identified in electerm, a popular terminal emulator. This flaw affects the Zmodem and Trzsz file download handlers in versions up to and including 3.11.0. The vulnerability stems from electerm's failure to sanitize remote-supplied filenames when combining them with the user-selected download directory path. This allows a malicious SSH server or remote shell process to provide filenames like \u003ccode\u003e../escaped.txt\u003c/code\u003e, effectively escaping the intended download directory. Consequently, files can be written to arbitrary locations on the user's filesystem, subject to the permissions of the electerm process. This could lead to severe consequences such as overwriting critical system files, altering user configuration, or deploying malicious payloads, posing a substantial risk to user data integrity and system security.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker establishes control over an SSH server or gains access to a remote shell session.\u003c/li\u003e\n\u003cli\u003eA user of electerm connects to this attacker-controlled SSH server.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a Zmodem (\u003ccode\u003erz\u003c/code\u003e or \u003ccode\u003esz\u003c/code\u003e) or Trzsz (\u003ccode\u003etrz\u003c/code\u003e or \u003ccode\u003etsz\u003c/code\u003e) file transfer protocol session.\u003c/li\u003e\n\u003cli\u003eDuring the transfer, the attacker supplies a specially crafted filename containing directory traversal sequences (e.g., \u003ccode\u003e../../.bashrc\u003c/code\u003e, \u003ccode\u003e../escaped.txt\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe electerm client receives the file transfer request and presents it to the user.\u003c/li\u003e\n\u003cli\u003eThe user accepts the transfer and selects an intended download directory within electerm.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability in \u003ccode\u003epath.join()\u003c/code\u003e, electerm processes the unsanitized filename, causing the file to be written outside the user-selected download directory.\u003c/li\u003e\n\u003cli\u003eThe malicious file is written to an arbitrary location on the user's filesystem, potentially overwriting sensitive configuration files, system binaries, or dropping new malicious executables, achieving data destruction or persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis path traversal vulnerability poses a high risk to users of electerm. If exploited, an attacker could write arbitrary files to any location on the victim's filesystem where the electerm process has write permissions. This could lead to the overwrite or corruption of critical system files, user configuration files (e.g., \u003ccode\u003e~/.bashrc\u003c/code\u003e, \u003ccode\u003e~/.ssh/authorized_keys\u003c/code\u003e), or the injection of malicious scripts or binaries. The direct consequences include system instability, loss of data integrity, unauthorized access (if configuration files are tampered with), and potentially full system compromise. There is no specific victim count available, but all users running vulnerable versions of electerm are at risk, regardless of their sector.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update electerm to a patched version to remediate CVE-2026-49253.\u003c/li\u003e\n\u003cli\u003eInstruct users to avoid connecting to untrusted SSH servers.\u003c/li\u003e\n\u003cli\u003eAdvise users to reject or cancel any incoming Zmodem or Trzsz file transfers if they originate from untrusted sources.\u003c/li\u003e\n\u003cli\u003eEducate users on the risks of using Zmodem (\u003ccode\u003esz\u003c/code\u003e/\u003ccode\u003erz\u003c/code\u003e) and Trzsz (\u003ccode\u003etrz\u003c/code\u003e/\u003ccode\u003etsz\u003c/code\u003e) commands when interacting with untrusted or potentially compromised remote servers.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T11:38:43Z","date_published":"2026-07-03T11:38:43Z","id":"https://feed.craftedsignal.io/briefs/2026-07-electerm-path-traversal/","summary":"A path traversal vulnerability exists in electerm's Zmodem and Trzsz file download handlers (CVE-2026-49253), allowing a malicious SSH server to send specially crafted filenames (e.g., `../escaped.txt`) that, when accepted by the user, can cause files to be written to arbitrary locations on the user's filesystem, potentially overwriting sensitive files or introducing malicious content.","title":"electerm Path Traversal Vulnerability in Zmodem and Trzsz Download Handling (CVE-2026-49253)","url":"https://feed.craftedsignal.io/briefs/2026-07-electerm-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed - Terminal-Emulator","version":"https://jsonfeed.org/version/1.1"}