Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
CVE-2026-43940: Electerm Prior to 3.7.16 Allows Malicious File Execution
CVE-2026-43940
GHSA-f77v-9vpc-6pjm
Summary
Electerm's terminal client has a security issue that allows an attacker to run malicious code on a user's computer if they can trick the client into loading a malicious file. This is fixed in version 3.7.16, so update to this version to be safe.
What to do
- Update electerm to version 3.7.16.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| npm | – | electerm |
< 3.7.16 Fix: upgrade to 3.7.16
|
Original title
Electerm runWidget has a path traversal that leads to arbitrary code execution
Original description
### Impact
The `runWidget` function in `src/app/widgets/load-widget.js` constructs a file path by directly concatenating user‑supplied widget identifiers without any sanitisation:
```javascript
const file = `widget-${widgetId}.js`
const widget = require(path.join(__dirname, file))
```
Because `runWidget` is exposed to the renderer process via an asynchronous IPC handler with no input validation, an attacker who achieves JavaScript execution inside the renderer (for example, through a malicious plugin or a cross‑site scripting flaw in the built‑in webview) can abuse a **path traversal** (`../`) to load and execute an arbitrary JavaScript file anywhere on the victim’s filesystem. This gives the attacker local code execution with the full privileges of the electerm process, leading to complete system compromise.
### Patches
Fixed in version >= 3.7.16
### Workarounds
Until a patch is released:
- Do not install or run untrusted plugins.
- Avoid loading arbitrary web content inside electerm’s embedded webview (for example, disable any features that fetch and display remote HTML).
- Run electerm in a sandboxed environment (e.g., with `bubblewrap` on Linux, AppArmor/SELinux profiles, or Windows sandboxed app execution) to limit the impact of any code execution.
### Resources
- [electerm GitHub Repository](https://github.com/electerm/electerm)
- [electerm Security Policy](https://github.com/electerm/electerm/security)
- Vulnerability details originally reported by external researcher (PoC confirmed on v3.7.9, Win10).
The `runWidget` function in `src/app/widgets/load-widget.js` constructs a file path by directly concatenating user‑supplied widget identifiers without any sanitisation:
```javascript
const file = `widget-${widgetId}.js`
const widget = require(path.join(__dirname, file))
```
Because `runWidget` is exposed to the renderer process via an asynchronous IPC handler with no input validation, an attacker who achieves JavaScript execution inside the renderer (for example, through a malicious plugin or a cross‑site scripting flaw in the built‑in webview) can abuse a **path traversal** (`../`) to load and execute an arbitrary JavaScript file anywhere on the victim’s filesystem. This gives the attacker local code execution with the full privileges of the electerm process, leading to complete system compromise.
### Patches
Fixed in version >= 3.7.16
### Workarounds
Until a patch is released:
- Do not install or run untrusted plugins.
- Avoid loading arbitrary web content inside electerm’s embedded webview (for example, disable any features that fetch and display remote HTML).
- Run electerm in a sandboxed environment (e.g., with `bubblewrap` on Linux, AppArmor/SELinux profiles, or Windows sandboxed app execution) to limit the impact of any code execution.
### Resources
- [electerm GitHub Repository](https://github.com/electerm/electerm)
- [electerm Security Policy](https://github.com/electerm/electerm/security)
- Vulnerability details originally reported by external researcher (PoC confirmed on v3.7.9, Win10).
nvd CVSS3.1
8.4
Vulnerability type
CWE-22
Path Traversal
CWE-829
Published: 8 May 2026 · Updated: 28 May 2026 · First seen: 8 May 2026