EXECUTIVE SUMMARY:
Two vulnerabilities have been identified in electerm, exposing users to significant risks. These flaws include a command injection issue affecting file system operations and a path traversal issue within Zmodem and Trzsz download handlers. Successful exploitation could allow attackers to execute arbitrary code or write malicious files to arbitrary locations on the system. This poses a severe threat to system integrity and data confidentiality, particularly for users connecting to untrusted SSH servers. The impact ranges from unauthorized system access and data exfiltration to complete system compromise.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Two vulnerabilities have been identified in electerm, exposing users to significant risks. These flaws include a command injection issue affecting file system operations and a path traversal issue within Zmodem and Trzsz download handlers. Successful exploitation could allow attackers to execute arbitrary code or write malicious files to arbitrary locations on the system. This poses a severe threat to system integrity and data confidentiality, particularly for users connecting to untrusted SSH servers. The impact ranges from unauthorized system access and data exfiltration to complete system compromise.[emaillocker id="1283"]
CVE-2026-49255 with a CVSS score of 8.8 – This command injection vulnerability allows attackers to execute arbitrary code by tricking victims into performing file operations on filenames containing shell metacharacters from a malicious SSH server.
CVE-2026-49253 with a CVSS score of 7.1 – This path traversal vulnerability permits remote attackers to write files to arbitrary locations on the filesystem by sending crafted filenames during Zmodem or Trzsz file transfers.
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-v5ff-xmfp-p245
https://github.com/advisories/GHSA-38j7-23hf-9mhc