Cyber Resilience

CVE-2026-45058

CriticalRCEUpdated

Published: 28 May 2026

Published
28 May 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v4 9.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0023 14.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-45058 is a critical-severity Code Injection (CWE-94) vulnerability. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Windows Command Shell (T1059.003); ranked at the 14.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In 3.8.8 and earlier, there is persistent local-pty code execution via imported bookmarks or compromised sync targets. Affects users who import bookmark JSON files or who have electerm sync configured (gist/WebDAV). The attacker can…

more

inject exec* fields or global config to cause remote code to run when a bookmark is opened or when sync is applied.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.003 Windows Command Shell Execution
Adversaries may abuse the Windows command shell for execution.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

RCE via malicious bookmark JSON import or sync data directly enables command execution (Unix/Windows shells) after user opens file (malicious file).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-345 CWE-494

Mandates verification of data authenticity for software, firmware, and information.

addresses: CWE-345 CWE-494

Provenance documentation and monitoring directly enables verification of authenticity for components and data throughout their history.

addresses: CWE-345 CWE-494

The control implements verification mechanisms that detect tampering by ensuring data authenticity.

addresses: CWE-494

Policies can require integrity verification of software prior to installation, reducing risks from unverified downloads.

addresses: CWE-494

Blocks installation of components lacking a valid signature, mitigating download or installation of code without integrity checks.

addresses: CWE-494

Acquisition and maintenance portions of the strategy drive requirements for integrity verification of downloaded or supplied code.

addresses: CWE-345

Directly requires independent verification of matching output before adverse decisions, mitigating insufficient authenticity checks on data from external sources.

addresses: CWE-494

Mandating integrity control and approved-only changes during development prevents incorporation of code or components lacking integrity validation.

References