CVE-2026-45787
9.1 CRITICALelecterm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client
Published: 2026-05-28 · Last updated: 2026-06-03
Severity and scoring
- CVSS
- 9.1 CRITICAL
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
- CWE
- CWE-326, CWE-329, CWE-353, CWE-759, CWE-916
Affected products
| Vendor | Product |
|---|---|
| electerm_project | electerm |
Description
electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to 3.9.5, deterministic AES-192-CBC with a fixed zero IV, constant KDF salt, and no MAC leads to confidentiality and integrity failures for synced bookmark/profile data. Attackers can crack common passwords across installs and perform undetected ciphertext bit-flips to alter config/bookmarks. This vulnerability is fixed in 3.9.5.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-45353 — electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client (7.8 HIGH)
Same CWE
- CVE-2026-41860 — CWE-326 in BOSH allows a local attacker to steal Basic-auth credentials or redirect UAA token requests via MITM (8.8 HIGH)
- CVE-2026-8878 — Version 3.0.7 of the Securly Chrome Extension exposes multiple publicly accessible endpoints that allow unauthenticated access to sensiti... (7.5 HIGH)
- CVE-2026-25861 — QloApps through 1.7.0, fixed in commit 64e9722, contains a weak cryptographic algorithm vulnerability that allows attackers to compromise... (5.9 MEDIUM)
- CVE-2026-44611 — Danelec MacGregor Voyage Data Recorder passwords are stored with a hashing method which limits password length and is susceptible to brut... (5.4 MEDIUM)
- CVE-2026-45027 — WeGIA is a web manager for charitable institutions (5.9 MEDIUM)