Use of Password Hash With Insufficient Computational Effort in electerm | CVE-2026-45787

Q: How to fix?

Upgrade electerm to version 3.9.5 or higher.

Introduced: 14 May 2026

NewCVE-2026-45787 (opens in a new tab) CWE-326 (opens in a new tab) CWE-329 (opens in a new tab) CWE-353 (opens in a new tab) CWE-759 (opens in a new tab) CWE-916 (opens in a new tab)

How to fix?

Upgrade electerm to version 3.9.5 or higher.

Overview

electerm is an open-sourced terminal/ssh/telnet/serialport/sftp client

Affected versions of this package are vulnerable to Use of Password Hash With Insufficient Computational Effort due to the encrypt process. An attacker can compromise the confidentiality and integrity of synced bookmark and profile data by exploiting deterministic encryption with a fixed zero IV, constant KDF salt, and lack of message authentication, allowing them to crack common passwords across installations and perform undetected ciphertext modifications.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
High
Attack Requirements (AT)
Present
Privileges Required (PR)
Low
User Interaction (UI)
None

Confidentiality (VC)
High
Integrity (VI)
Low
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Use of Password Hash With Insufficient Computational Effort Affecting electerm package, versions <3.9.5

Severity

Do your applications use this vulnerable package?

Snyk Learn

Introduced: 14 May 2026

How to fix?

Overview

References

CVSS Base Scores

Snyk