CVE-2026-43940: electerm Path Traversal Leads to RCE

/HIGH /CVSS 8.4/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycode-executioncwe-22cwe-829
CVE-2026-43940: electerm Path Traversal Leads to RCE

The open-source terminal client electerm, prior to version 3.7.16, is vulnerable to a critical path traversal (CVE-2026-43940). The National Vulnerability Database indicates that the runWidget function in src/app/widgets/load-widget.js mishandles user-supplied widget identifiers, directly concatenating them into file paths without sanitization. This flaw, exposed to the renderer process via an asynchronous IPC handler lacking input validation, creates a dangerous attack surface.

An attacker who achieves JavaScript execution within the renderer process – for instance, through a malicious plugin or a cross-site scripting flaw in the built-in webview – can exploit this path traversal. By manipulating the widget identifier with ../ sequences, they can load and execute arbitrary JavaScript files from any location on the victim’s filesystem. This grants the attacker local code execution with the full privileges of the electerm process, culminating in complete system compromise. The National Vulnerability Database rates this with a CVSS score of 8.4 (HIGH).

This vulnerability, categorized under CWE-22 (Path Traversal) and CWE-829 (Inclusion of Functionality from Untrusted Control Sphere), highlights the severe risks of inadequate input validation in client-side applications. Defenders must understand that client-side compromise can rapidly escalate to full system control, especially with tools like electerm that often run with elevated privileges or handle sensitive connections. Patching is critical.

What This Means For You

  • If your organization uses electerm, you need to immediately verify that all installations are updated to version 3.7.16 or later to mitigate CVE-2026-43940. This isn't just a minor bug; it's a direct path to local code execution and full system compromise if an attacker lands JavaScript execution on a client. Don't underestimate the risk of seemingly benign client applications – they can be a pivot point for a full breach.

Related ATT&CK Techniques

T1574.002 Hijack Execution Flow: DLL Side-Loading Execution T1204.002 User Execution: Malicious File Execution T1190 Exploit Public-Facing Application Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-43940: electerm Path Traversal to RCE via load-widget.js

Sigma YAML — free preview 
title: CVE-2026-43940: electerm Path Traversal to RCE via load-widget.js
id: scw-2026-05-08-ai-1
status: experimental
level: critical
description: |
  Detects the execution of electerm.exe with command line arguments containing '..', indicating a potential path traversal attempt to load arbitrary JavaScript files, as described in CVE-2026-43940. This can lead to Remote Code Execution (RCE) if successful.
author: SCW Feed Engine (AI-generated)
date: 2026-05-08
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-43940/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: process_creation
detection:
  selection:
      Image|endswith:
          - 'electerm.exe'
      CommandLine|contains:
          - '..'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-43940 Path Traversal electerm < 3.7.16
CVE-2026-43940 RCE electerm < 3.7.16
CVE-2026-43940 Path Traversal electerm: src/app/widgets/load-widget.js: runWidget function
CVE-2026-43940 Code Injection electerm: IPC handler with no input validation

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 08, 2026 at 07:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate

CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console...

vulnerabilityCVEmedium-severitycwe-862
/SCW Vulnerability Desk /MEDIUM /4.3 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-6666 — A possible null pointer reference in PgBouncer before

CVE-2026-6666 — A possible null pointer reference in PgBouncer before 1.25.2 could lead to a crash, if a server sends an error response without SQLSTATE...

vulnerabilityCVEmedium-severitycwe-476
/SCW Vulnerability Desk /MEDIUM /5.9 /⚑ 2 IOCs /⚙ 1 Sigma

PgBouncer SCRAM Vulnerability (CVE-2026-6665) Allows Stack Overflow

CVE-2026-6665 — The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM...

vulnerabilityCVEhigh-severitycwe-121
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 4 IOCs /⚙ 2 Sigma