GHSA-jgg9-rw32-44pjCritical

Electerm: Importing unsafe bookmark data could lead to unsafe operation when clicking local type bookmark

Published
May 14, 2026
Last Modified
June 9, 2026

🔗 CVE IDs covered (1)

📋 Description

Impact

Persistent local-pty code execution via imported bookmarks or compromised sync targets. Affects users who import bookmark JSON files or who have electerm sync configured (gist/WebDAV). The attacker can inject exec* fields or global config to cause remote code to run when a bookmark is opened or when sync is applied.

Patches

Not yet

Workarounds

  • Do not import unsafe data

References

  • Report / credit: https://github.com/Curly-Haired-Baboon
  • Electerm releases: https://github.com/electerm/electerm/releases

🎯 Affected products1

  • npm/electerm:<= 3.8.8

🔗 References (3)