CVE-2026-43940

Name of the Vulnerable Software and Affected Versions electerm versions prior to 3.7.16

Description The runWidget() function in src/app/widgets/load-widget.js constructs a file path by directly concatenating user-supplied widget identifiers without sanitization. Since runWidget() is exposed to the renderer process via an asynchronous IPC handler without input validation, an attacker with JavaScript execution capabilities in the renderer—such as through a malicious plugin or a cross-site scripting flaw in the built-in webview—can use path traversal (../) to load and execute arbitrary JavaScript files from the victim's filesystem. This can lead to local code execution with the full privileges of the process and complete system compromise.

Recommendations Update to version 3.7.16 or later. Do not install or run untrusted plugins. Avoid loading arbitrary web content inside the embedded webview by disabling features that fetch and display remote HTML. Run the software in a sandboxed environment to limit the impact of potential code execution.