{"api_version":"1","generated_at":"2026-05-08T10:58:53+00:00","cve":"CVE-2026-43940","urls":{"html":"https://cve.report/CVE-2026-43940","api":"https://cve.report/api/cve/CVE-2026-43940.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-43940","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-43940"},"summary":{"title":"electerm: Path traversal in electerm runWidget leads to arbitrary code execution","description":"electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.7.16, the runWidget function in src/app/widgets/load-widget.js constructs a file path by directly concatenating user‑supplied widget identifiers without any sanitisation. Because runWidget is exposed to the renderer process via an asynchronous IPC handler with no input validation, an attacker who achieves JavaScript execution inside the renderer (for example, through a malicious plugin or a cross‑site scripting flaw in the built‑in webview) can abuse a path traversal (../) to load and execute an arbitrary JavaScript file anywhere on the victim’s filesystem. This gives the attacker local code execution with the full privileges of the electerm process, leading to complete system compromise. This issue has been patched in version 3.7.16.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-05-08 04:16:23","updated_at":"2026-05-08 04:16:23"},"problem_types":["CWE-22","CWE-829","CWE-22 CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","CWE-829 CWE-829: Inclusion of Functionality from Untrusted Control Sphere"],"metrics":[{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"8.4","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.4,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"8.4","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":8.4,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}}],"references":[{"url":"https://github.com/electerm/electerm/security/advisories/GHSA-f77v-9vpc-6pjm","name":"https://github.com/electerm/electerm/security/advisories/GHSA-f77v-9vpc-6pjm","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/electerm/electerm/releases/tag/v3.7.16","name":"https://github.com/electerm/electerm/releases/tag/v3.7.16","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-43940","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43940","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"electerm","product":"electerm","version":"affected < 3.7.16","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"product":"electerm","vendor":"electerm","versions":[{"status":"affected","version":"< 3.7.16"}]}],"descriptions":[{"lang":"en","value":"electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.7.16, the runWidget function in src/app/widgets/load-widget.js constructs a file path by directly concatenating user‑supplied widget identifiers without any sanitisation. Because runWidget is exposed to the renderer process via an asynchronous IPC handler with no input validation, an attacker who achieves JavaScript execution inside the renderer (for example, through a malicious plugin or a cross‑site scripting flaw in the built‑in webview) can abuse a path traversal (../) to load and execute an arbitrary JavaScript file anywhere on the victim’s filesystem. This gives the attacker local code execution with the full privileges of the electerm process, leading to complete system compromise. This issue has been patched in version 3.7.16."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":8.4,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-22","description":"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-829","description":"CWE-829: Inclusion of Functionality from Untrusted Control Sphere","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-05-08T02:58:05.646Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/electerm/electerm/security/advisories/GHSA-f77v-9vpc-6pjm","tags":["x_refsource_CONFIRM"],"url":"https://github.com/electerm/electerm/security/advisories/GHSA-f77v-9vpc-6pjm"},{"name":"https://github.com/electerm/electerm/releases/tag/v3.7.16","tags":["x_refsource_MISC"],"url":"https://github.com/electerm/electerm/releases/tag/v3.7.16"}],"source":{"advisory":"GHSA-f77v-9vpc-6pjm","discovery":"UNKNOWN"},"title":"electerm: Path traversal in electerm runWidget leads to arbitrary code execution"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-43940","datePublished":"2026-05-08T02:58:05.646Z","dateReserved":"2026-05-04T16:59:09.089Z","dateUpdated":"2026-05-08T02:58:05.646Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-08 04:16:23","lastModifiedDate":"2026-05-08 04:16:23","problem_types":["CWE-22","CWE-829","CWE-22 CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","CWE-829 CWE-829: Inclusion of Functionality from Untrusted Control Sphere"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.4,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.5,"impactScore":5.9}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"43940","Ordinal":"1","Title":"electerm: Path traversal in electerm runWidget leads to arbitrar","CVE":"CVE-2026-43940","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"43940","Ordinal":"1","NoteData":"electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.7.16, the runWidget function in src/app/widgets/load-widget.js constructs a file path by directly concatenating user‑supplied widget identifiers without any sanitisation. Because runWidget is exposed to the renderer process via an asynchronous IPC handler with no input validation, an attacker who achieves JavaScript execution inside the renderer (for example, through a malicious plugin or a cross‑site scripting flaw in the built‑in webview) can abuse a path traversal (../) to load and execute an arbitrary JavaScript file anywhere on the victim’s filesystem. This gives the attacker local code execution with the full privileges of the electerm process, leading to complete system compromise. This issue has been patched in version 3.7.16.","Type":"Description","Title":"electerm: Path traversal in electerm runWidget leads to arbitrar"}]}}}