CVE-2026-45058
Published: 28 May 2026
Summary
CVE-2026-45058 is a critical-severity Code Injection (CWE-94) vulnerability. Its CVSS base score is 9.4 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Windows Command Shell (T1059.003); ranked at the 14.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-32961
Vulnerability details
electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In 3.8.8 and earlier, there is persistent local-pty code execution via imported bookmarks or compromised sync targets. Affects users who import bookmark JSON files or who have electerm sync configured (gist/WebDAV). The attacker can…
more
inject exec* fields or global config to cause remote code to run when a bookmark is opened or when sync is applied.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
RCE via malicious bookmark JSON import or sync data directly enables command execution (Unix/Windows shells) after user opens file (malicious file).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Mandates verification of data authenticity for software, firmware, and information.
Provenance documentation and monitoring directly enables verification of authenticity for components and data throughout their history.
The control implements verification mechanisms that detect tampering by ensuring data authenticity.
Policies can require integrity verification of software prior to installation, reducing risks from unverified downloads.
Blocks installation of components lacking a valid signature, mitigating download or installation of code without integrity checks.
Acquisition and maintenance portions of the strategy drive requirements for integrity verification of downloaded or supplied code.
Directly requires independent verification of matching output before adverse decisions, mitigating insufficient authenticity checks on data from external sources.
Mandating integrity control and approved-only changes during development prevents incorporation of code or components lacking integrity validation.