Electerm CVE-2026-43941: Critical RCE via Malicious Terminal Links

/CRITICAL /CVSS 9.6/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severitycode-executioncwe-88cwe-601
Electerm CVE-2026-43941: Critical RCE via Malicious Terminal Links

A critical vulnerability, CVE-2026-43941, has been identified in Electerm, an open-source terminal client. The National Vulnerability Database reports that Electerm versions 3.8.15 and prior are affected. The flaw lies in its terminal hyperlink handler, which directly passes any clicked URL to shell.openExternal without proper protocol validation. This oversight allows an attacker to achieve arbitrary code execution or local file access on a victim’s machine.

Attackers can exploit this by controlling terminal output, for example, through a malicious SSH server, a compromised remote host, or a malicious plugin that renders terminal content. The only user interaction required is for the victim to click a displayed link. The National Vulnerability Database assigns this vulnerability a CVSS score of 9.6 (Critical), highlighting the severe impact of successful exploitation. The Common Weakness Enumerations (CWEs) associated are CWE-88 (Improper Neutralization of Special Elements used in a Command) and CWE-601 (URL Redirection to Untrusted Site).

As of the publication by the National Vulnerability Database, no public patches are available for CVE-2026-43941. This leaves users of affected Electerm versions exposed to significant risk. Defenders must recognize that the attacker’s calculus here is low-cost and high-reward; social engineering a click is a trivial barrier for a critical RCE.

What This Means For You

  • If your organization uses Electerm, immediately identify all instances running versions 3.8.15 or prior. Given the lack of a patch for CVE-2026-43941, the only viable mitigation right now is to restrict Electerm usage, particularly in environments where users might connect to untrusted SSH servers or encounter compromised remote hosts. Educate users on the extreme danger of clicking links in terminal output.

Related ATT&CK Techniques

T1204.002 Malicious Link Initial Access T1566.002 Spearphishing Link Initial Access T1059.003 Windows Command Shell Execution

🛡️ Detection Rules

4 rules · 6 SIEM formats

4 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

medium T1204.002 Execution

Suspicious File Download via Email

Sigma YAML — free preview 
title: Suspicious File Download via Email
id: scw-2026-05-08-1
status: experimental
level: medium
description: |
  Detects execution of suspicious processes spawned from email clients, potentially triggered by a phishing attachment.
author: SCW Feed Engine (auto-generated)
date: 2026-05-08
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-43941/
tags:
  - attack.execution
  - attack.t1204.002
logsource:
    category: process_creation
    product: windows
detection:
  selection:
      ParentImage|endswith:
        - '\outlook.exe'
        - '\thunderbird.exe'
      Image|endswith:
        - '\cmd.exe'
        - '\powershell.exe'
        - '\wscript.exe'
        - '\cscript.exe'
      condition: selection
falsepositives:
  - Legitimate activity from CVE-2026-43941

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-43941 RCE electerm versions 3.8.15 and prior
CVE-2026-43941 RCE terminal hyperlink handler passes URL to shell.openExternal without protocol validation
CVE-2026-43941 Information Disclosure local file access via terminal hyperlink handler

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 08, 2026 at 07:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate

CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console...

vulnerabilityCVEmedium-severitycwe-862
/SCW Vulnerability Desk /MEDIUM /4.3 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-6666 — A possible null pointer reference in PgBouncer before

CVE-2026-6666 — A possible null pointer reference in PgBouncer before 1.25.2 could lead to a crash, if a server sends an error response without SQLSTATE...

vulnerabilityCVEmedium-severitycwe-476
/SCW Vulnerability Desk /MEDIUM /5.9 /⚑ 2 IOCs /⚙ 1 Sigma

PgBouncer SCRAM Vulnerability (CVE-2026-6665) Allows Stack Overflow

CVE-2026-6665 — The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM...

vulnerabilityCVEhigh-severitycwe-121
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 4 IOCs /⚙ 2 Sigma