CVE-2026-43942

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In versions 3.8.15 and prior, the getConstants() IPC handler in src/app/lib/ipc-sync.js serialises the entire process.env object and sends it to the renderer. The data is stored as window.pre.env and is accessible from any JavaScript running in the renderer (e.g., via the DevTools console or a compromised webview context). An attacker who achieves any JavaScript execution within the renderer can trivially exfiltrate these secrets to a remote server, leading to cloud account compromise, supply chain attacks, and lateral movement. At time of publication, there are no publicly available patches.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/electerm/electerm/security/advisories/GHSA-37j4-88rp-2f6h	Vendor Advisory Mitigation

Configurations

Configuration 1 (hide)

cpe:2.3:a:electerm_project:electerm:*:*:*:*:*:*:*:*

History

08 May 2026, 19:17

Type	Values Removed	Values Added
First Time		Electerm Project Electerm Project electerm
CPE		cpe:2.3:a:electerm_project:electerm::::::::
References	~~() https://github.com/electerm/electerm/security/advisories/GHSA-37j4-88rp-2f6h -~~	() https://github.com/electerm/electerm/security/advisories/GHSA-37j4-88rp-2f6h - Vendor Advisory, Mitigation

08 May 2026, 04:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-08 04:16

Updated : 2026-05-08 19:17

NVD link : CVE-2026-43942

Mitre link : CVE-2026-43942

CVE.ORG link : CVE-2026-43942

JSON object : View

Products Affected

electerm_project

electerm

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-312

Cleartext Storage of Sensitive Information

5.5 /10