Cyber Resilience

CVE-2026-43941

Critical

Published: 08 May 2026

Published
08 May 2026
Modified
08 May 2026
KEV Added
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0039 31.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-43941 is a critical-severity Argument Injection (CWE-88) vulnerability in Electerm Project Electerm. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious Link (T1204.001); ranked at the 31.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In versions 3.8.15 and prior, Electerm's terminal hyperlink handler passes any URL clicked in the terminal directly to shell.openExternal without any protocol validation. An attacker who controls terminal output (e.g., via a malicious SSH…

more

server, compromised remote host, or malicious plugin rendering terminal content) can thus achieve arbitrary code execution or local file access on the victim's machine, requiring only that the victim clicks a displayed link. At time of publication, there are no publicly available patches.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Why these techniques?

Vulnerability enables direct arbitrary code execution or file access when victim clicks attacker-controlled hyperlink injected into terminal output, with no protocol validation on shell.openExternal.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-43944Same product: Electerm Project Electerm
CVE-2026-43943Same product: Electerm Project Electerm
CVE-2026-43940Same product: Electerm Project Electerm
CVE-2026-41500Same product: Electerm Project Electerm
CVE-2026-41501Same product: Electerm Project Electerm
CVE-2024-51321Shared CWE-601
CVE-2025-0244Shared CWE-601
CVE-2020-36912Shared CWE-601
CVE-2026-47114Shared CWE-88
CVE-2026-44833Shared CWE-601

Affected Assets

electerm project
electerm
≤ 3.8.15

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-601

Security awareness includes verifying URLs and avoiding untrusted redirects that lead to malicious sites.

addresses: CWE-601

Validates redirect targets and URLs to ensure they conform to allowed destinations.

References