Electerm: Importing unsafe bookmark data could lead to unsafe operation when clicking local type bookmark

GHSA-jgg9-rw32-44pj · CVE-2026-45058

Published May 14, 2026 · Modified Jun 9, 2026

Description

Impact

Persistent local-pty code execution via imported bookmarks or compromised sync targets. Affects users who import bookmark JSON files or who have electerm sync configured (gist/WebDAV). The attacker can inject exec* fields or global config to cause remote code to run when a bookmark is opened or when sync is applied.

Patches

Not yet

Workarounds

Do not import unsafe data

References

Report / credit: https://github.com/Curly-Haired-Baboon
Electerm releases: https://github.com/electerm/electerm/releases

References

WEB https://github.com/electerm/electerm/security/advisories/GHSA-jgg9-rw32-44pj
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-45058
PACKAGE https://github.com/electerm/electerm

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes