CVE-2026-43944

Description

### Impact _Arbitrary local code execution via deep links, CLI `--opts`, or crafted shortcuts. Affected users: electerm installs that accept protocol URLs or CLI options (affected versions listed in the original report). Exploit requires clicking a crafted `electerm://...` link or opening a crafted shortcut/command that launches electerm with attacker-controlled `opts`._ ### Patches Fixed in version > 3.8.8 commits: - https://github.com/electerm/electerm/commit/8a6a17951e96d715f5a231532bbd8303fe208700 - https://github.com/electerm/electerm/commit/a79e06f4a1f0ac6376c3d2411ef4690fa0377742 - https://github.com/electerm/electerm/commit/0599e67069b00e376a2e962649aaad6096e63507 ### Workarounds - Disable or unregister electerm protocol handlers (Deep Link settings) and avoid clicking `electerm://` links. - Do not run electerm with untrusted `--opts` arguments or open `.lnk` / `.desktop` files from untrusted sources. - Restrict which users can launch electerm on shared machines and avoid leaving electerm installed in locations reachable by other users. - As a temporary measure, run electerm in a confined account or sandbox (non-admin user) to reduce impact. ### References - Report / credit: https://github.com/Curly-Haired-Baboon - Electerm releases: https://github.com/electerm/electerm/releases

How to fix CVE-2026-43944

To remediate CVE-2026-43944, upgrade the affected package to a fixed version below.

—upgrade to 3.8.8 or later

Is CVE-2026-43944 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 3.0.6, < 3.8.8

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
osv	CVSS 3.1	CRITICAL9.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Description

How to fix CVE-2026-43944

Is CVE-2026-43944 being exploited?

Affected packages (1)

CVSS scores

References (7)