Electerm has an unvalidated shell.openExternal that allows arbitrary protocol execution via terminal link click

Description

Electerm’s terminal hyperlink handler passes any URL clicked in the terminal directly to shell.openExternal without any protocol validation.

When a user connects to a malicious SSH server, the attacker can print a crafted URI in the terminal output. If the victim clicks the link, shell.openExternal executes it using the operating system’s default protocol handler.

Recommendation

No fix is available yet. Followings are affected versions:

• <= 3.8.15

References

• GHSA-fwf6-j56g-m97c
• CVE-2026-43941
• CWE-601
• CWE-88
• CAPEC-310
• OWASP 2021-A1
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• jsPDF has PDF Injection in AcroFormChoiceField that allows Arbitrary JavaScript Execution - CVE-2026-24737
• Electerm runWidget has a path traversal that leads to arbitrary code execution - CVE-2026-43940
• jsPDF has a PDF Injection in AcroForm module allows Arbitrary JavaScript Execution (RadioButton.createOption and "AS" pr - CVE-2026-25940
• HAX CMS: Stored XSS via '<video-player>' component allows arbitrary JavaScript execution and token theft - CVE-2026-46496

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

electerm