CVE-2026-43941: Electerm has an unvalidated shell.openExternal that allows arbitrary protocol execution via terminal link click

Electerm’s terminal hyperlink handler passes any URL clicked in the terminal directly to shell.openExternal without any protocol validation.

When a user connects to a malicious SSH server, the attacker can print a crafted URI in the terminal output. If the victim clicks the link, shell.openExternal executes it using the operating system’s default protocol handler.

This can be abused to:

• Trigger dangerous protocol handlers (ms-msdt:, search-ms:) for code execution
• Open local files or network shares (file://, UNC paths) to leak NTLM hashes or exfiltrate data
• Launch any installed application associated with a custom URI scheme

An attacker who controls terminal output (e.g., via a malicious SSH server, compromised remote host, or malicious plugin rendering terminal content) can thus achieve arbitrary code execution or local file access on the victim’s machine, requiring only that the victim clicks a displayed link.