Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/375955?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/375955?format=api", "purl": "pkg:npm/electerm@3.8.8", "type": "npm", "namespace": "", "name": "electerm", "version": "3.8.8", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "3.9.5", "latest_non_vulnerable_version": "3.9.5", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65576?format=api", "vulnerability_id": "VCID-2pth-1pbz-q7a1", "summary": "electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In versions 3.8.15 and prior, Electerm's terminal hyperlink handler passes any URL clicked in the terminal directly to shell.openExternal without any protocol validation. An attacker who controls terminal output (e.g., via a malicious SSH server, compromised remote host, or malicious plugin rendering terminal content) can thus achieve arbitrary code execution or local file access on the victim's machine, requiring only that the victim clicks a displayed link. At time of publication, there are no publicly available patches.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43941", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.06743", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.06726", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.06734", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.06754", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43941" }, { "reference_url": "https://github.com/electerm/electerm", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/electerm/electerm" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43941", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43941" }, { "reference_url": "https://github.com/advisories/GHSA-fwf6-j56g-m97c", "reference_id": "GHSA-fwf6-j56g-m97c", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fwf6-j56g-m97c" }, { "reference_url": "https://github.com/electerm/electerm/security/advisories/GHSA-fwf6-j56g-m97c", "reference_id": "GHSA-fwf6-j56g-m97c", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-08T14:34:47Z/" } ], "url": "https://github.com/electerm/electerm/security/advisories/GHSA-fwf6-j56g-m97c" } ], "fixed_packages": [], "aliases": [ "CVE-2026-43941", "GHSA-fwf6-j56g-m97c" ], "risk_score": 4.3, "exploitability": "0.5", "weighted_severity": "8.6", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2pth-1pbz-q7a1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/69993?format=api", "vulnerability_id": "VCID-bsue-h9tr-2bbc", "summary": "electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. From 3.0.6 to 3.8.8, This vulnerability is fixed in 3.9.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-45353", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05996", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06006", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.0602", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06012", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-45353" }, { "reference_url": "https://github.com/electerm/electerm", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/electerm/electerm" }, { "reference_url": "https://github.com/electerm/electerm/commit/0599e67069b00e376a2e962649aaad6096e63507", "reference_id": "0599e67069b00e376a2e962649aaad6096e63507", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-28T19:27:17Z/" } ], "url": "https://github.com/electerm/electerm/commit/0599e67069b00e376a2e962649aaad6096e63507" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45353", "reference_id": "CVE-2026-45353", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45353" }, { "reference_url": "https://github.com/advisories/GHSA-7p5m-v798-f8vv", "reference_id": "GHSA-7p5m-v798-f8vv", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7p5m-v798-f8vv" }, { "reference_url": "https://github.com/electerm/electerm/security/advisories/GHSA-7p5m-v798-f8vv", "reference_id": "GHSA-7p5m-v798-f8vv", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-28T19:27:17Z/" } ], "url": "https://github.com/electerm/electerm/security/advisories/GHSA-7p5m-v798-f8vv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376093?format=api", "purl": "pkg:npm/electerm@3.9.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/electerm@3.9.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/375811?format=api", "purl": "pkg:npm/electerm@3.9.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/electerm@3.9.5" } ], "aliases": [ "CVE-2026-45353", "GHSA-7p5m-v798-f8vv" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bsue-h9tr-2bbc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65561?format=api", "vulnerability_id": "VCID-c2ky-2na3-ubh3", "summary": "electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In versions 3.8.15 and prior, the getConstants() IPC handler in src/app/lib/ipc-sync.js serialises the entire process.env object and sends it to the renderer. The data is stored as window.pre.env and is accessible from any JavaScript running in the renderer (e.g., via the DevTools console or a compromised webview context). An attacker who achieves any JavaScript execution within the renderer can trivially exfiltrate these secrets to a remote server, leading to cloud account compromise, supply chain attacks, and lateral movement. At time of publication, there are no publicly available patches.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43942", "reference_id": "", "reference_type": "", "scores": [ { "value": "4e-05", "scoring_system": "epss", "scoring_elements": "0.00196", "published_at": "2026-06-13T12:55:00Z" }, { "value": "4e-05", "scoring_system": "epss", "scoring_elements": "0.00197", "published_at": "2026-06-11T12:55:00Z" }, { "value": "4e-05", "scoring_system": "epss", "scoring_elements": "0.00195", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43942" }, { "reference_url": "https://github.com/electerm/electerm", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/electerm/electerm" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43942", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43942" }, { "reference_url": "https://github.com/advisories/GHSA-37j4-88rp-2f6h", "reference_id": "GHSA-37j4-88rp-2f6h", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-37j4-88rp-2f6h" }, { "reference_url": "https://github.com/electerm/electerm/security/advisories/GHSA-37j4-88rp-2f6h", "reference_id": "GHSA-37j4-88rp-2f6h", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-08T23:09:35Z/" } ], "url": "https://github.com/electerm/electerm/security/advisories/GHSA-37j4-88rp-2f6h" } ], "fixed_packages": [], "aliases": [ "CVE-2026-43942", "GHSA-37j4-88rp-2f6h" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c2ky-2na3-ubh3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/69895?format=api", "vulnerability_id": "VCID-tky5-4uvt-9ucd", "summary": "electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to 3.9.5, deterministic AES-192-CBC with a fixed zero IV, constant KDF salt, and no MAC leads to confidentiality and integrity failures for synced bookmark/profile data. Attackers can crack common passwords across installs and perform undetected ciphertext bit-flips to alter config/bookmarks. This vulnerability is fixed in 3.9.5.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-45787", "reference_id": "", "reference_type": "", "scores": [ { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00746", "published_at": "2026-06-11T12:55:00Z" }, { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00749", "published_at": "2026-06-14T12:55:00Z" }, { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00743", "published_at": "2026-06-12T12:55:00Z" }, { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00745", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-45787" }, { "reference_url": "https://github.com/electerm/electerm", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/electerm/electerm" }, { "reference_url": "https://github.com/electerm/electerm/releases/tag/v3.9.5", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/electerm/electerm/releases/tag/v3.9.5" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45787", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45787" }, { "reference_url": "https://github.com/electerm/electerm/commit/9dd8295e37d53396b980cd45dfc5ed11ad79b937", "reference_id": "9dd8295e37d53396b980cd45dfc5ed11ad79b937", "reference_type": "", "scores": [ { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-29T15:29:07Z/" } ], "url": "https://github.com/electerm/electerm/commit/9dd8295e37d53396b980cd45dfc5ed11ad79b937" }, { "reference_url": "https://github.com/advisories/GHSA-g29v-q6h7-76wh", "reference_id": "GHSA-g29v-q6h7-76wh", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g29v-q6h7-76wh" }, { "reference_url": "https://github.com/electerm/electerm/security/advisories/GHSA-g29v-q6h7-76wh", "reference_id": "GHSA-g29v-q6h7-76wh", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-29T15:29:07Z/" } ], "url": "https://github.com/electerm/electerm/security/advisories/GHSA-g29v-q6h7-76wh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375811?format=api", "purl": "pkg:npm/electerm@3.9.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/electerm@3.9.5" } ], "aliases": [ "CVE-2026-45787", "GHSA-g29v-q6h7-76wh" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tky5-4uvt-9ucd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/69844?format=api", "vulnerability_id": "VCID-ydrw-nwxu-6kc8", "summary": "electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In 3.8.8 and earlier, there is persistent local-pty code execution via imported bookmarks or compromised sync targets. Affects users who import bookmark JSON files or who have electerm sync configured (gist/WebDAV). The attacker can inject exec* fields or global config to cause remote code to run when a bookmark is opened or when sync is applied.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-45058", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00047", "scoring_system": "epss", "scoring_elements": "0.15014", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00047", "scoring_system": "epss", "scoring_elements": "0.14985", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00047", "scoring_system": "epss", "scoring_elements": "0.14894", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00047", "scoring_system": "epss", "scoring_elements": "0.15013", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-45058" }, { "reference_url": "https://github.com/electerm/electerm", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/electerm/electerm" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45058", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45058" }, { "reference_url": "https://github.com/advisories/GHSA-jgg9-rw32-44pj", "reference_id": "GHSA-jgg9-rw32-44pj", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jgg9-rw32-44pj" }, { "reference_url": "https://github.com/electerm/electerm/security/advisories/GHSA-jgg9-rw32-44pj", "reference_id": "GHSA-jgg9-rw32-44pj", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-30T02:03:52Z/" } ], "url": "https://github.com/electerm/electerm/security/advisories/GHSA-jgg9-rw32-44pj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1066809?format=api", "purl": "pkg:npm/electerm@3.8.15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2pth-1pbz-q7a1" }, { "vulnerability": "VCID-bsue-h9tr-2bbc" }, { "vulnerability": "VCID-c2ky-2na3-ubh3" }, { "vulnerability": "VCID-tky5-4uvt-9ucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/electerm@3.8.15" } ], "aliases": [ "CVE-2026-45058", "GHSA-jgg9-rw32-44pj" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ydrw-nwxu-6kc8" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65535?format=api", "vulnerability_id": "VCID-scya-q5rb-hfbm", "summary": "electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. From versions 3.0.6 to before 3.8.15, electerm is vulnerable to arbitrary local code execution via deep links, CLI --opts, or crafted shortcuts. Exploit requires clicking a crafted electerm://... link or opening a crafted shortcut/command that launches electerm with attacker-controlled opts. This issue has been patched in version 3.8.15.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43944", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0016", "scoring_system": "epss", "scoring_elements": "0.36919", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0016", "scoring_system": "epss", "scoring_elements": "0.36905", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0016", "scoring_system": "epss", "scoring_elements": "0.36712", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0016", "scoring_system": "epss", "scoring_elements": "0.36891", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43944" }, { "reference_url": "https://github.com/electerm/electerm", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/electerm/electerm" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43944", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43944" }, { "reference_url": "https://github.com/electerm/electerm/commit/0599e67069b00e376a2e962649aaad6096e63507", "reference_id": "0599e67069b00e376a2e962649aaad6096e63507", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-11T18:06:05Z/" } ], "url": "https://github.com/electerm/electerm/commit/0599e67069b00e376a2e962649aaad6096e63507" }, { "reference_url": "https://github.com/electerm/electerm/commit/8a6a17951e96d715f5a231532bbd8303fe208700", "reference_id": "8a6a17951e96d715f5a231532bbd8303fe208700", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-11T18:06:05Z/" } ], "url": "https://github.com/electerm/electerm/commit/8a6a17951e96d715f5a231532bbd8303fe208700" }, { "reference_url": "https://github.com/electerm/electerm/commit/a79e06f4a1f0ac6376c3d2411ef4690fa0377742", "reference_id": "a79e06f4a1f0ac6376c3d2411ef4690fa0377742", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-11T18:06:05Z/" } ], "url": "https://github.com/electerm/electerm/commit/a79e06f4a1f0ac6376c3d2411ef4690fa0377742" }, { "reference_url": "https://github.com/advisories/GHSA-mpm8-cx2p-626q", "reference_id": "GHSA-mpm8-cx2p-626q", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mpm8-cx2p-626q" }, { "reference_url": "https://github.com/electerm/electerm/security/advisories/GHSA-mpm8-cx2p-626q", "reference_id": "GHSA-mpm8-cx2p-626q", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-11T18:06:05Z/" } ], "url": "https://github.com/electerm/electerm/security/advisories/GHSA-mpm8-cx2p-626q" }, { "reference_url": "https://github.com/electerm/electerm/releases/tag/v3.8.15", "reference_id": "v3.8.15", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-11T18:06:05Z/" } ], "url": "https://github.com/electerm/electerm/releases/tag/v3.8.15" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375955?format=api", "purl": "pkg:npm/electerm@3.8.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2pth-1pbz-q7a1" }, { "vulnerability": "VCID-bsue-h9tr-2bbc" }, { "vulnerability": "VCID-c2ky-2na3-ubh3" }, { "vulnerability": "VCID-tky5-4uvt-9ucd" }, { "vulnerability": "VCID-ydrw-nwxu-6kc8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/electerm@3.8.8" } ], "aliases": [ "CVE-2026-43944", "GHSA-mpm8-cx2p-626q" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-scya-q5rb-hfbm" } ], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/electerm@3.8.8" }