CVE-2026-45353
Electerm Local code through electerm's single-instance socket
Description
### Impact _Local code execution without UI interaction: any same-user process can send a JSON payload to electerm's single-instance socket/pipe, causing the app to create tabs and potentially spawn attacker-controlled local processes. Affects electerm single-instance installs on the machine._ ### Patches - https://github.com/electerm/electerm/commit/0599e67069b00e376a2e962649aaad6096e63507 ### Workarounds - Do not run unsafe command ### References - Report / credit: https://github.com/Curly-Haired-Baboon - Electerm releases: https://github.com/electerm/electerm/releases
How to fix CVE-2026-45353
To remediate CVE-2026-45353, upgrade the affected package to a fixed version below.
- —upgrade to 3.9.0 or later
Is CVE-2026-45353 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 3.0.6, < 3.9.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |