Vulnerability Database

355,754

Total vulnerabilities in the database

CVE-2026-49253 — electerm

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Impact

A path traversal vulnerability exists in the Zmodem and Trzsz file download handlers in electerm. When receiving files via Zmodem or Trzsz protocols, electerm uses the remote-supplied filename directly in path.join() with the user-selected download directory without sanitization.

A malicious SSH server or remote shell process can send a specially crafted filename such as ../escaped.txt to escape the user-selected download directory and write files to arbitrary locations on the user's filesystem, subject to process permissions.

Attack scenario:

  1. User connects to a malicious SSH server
  2. Attacker initiates a Zmodem or Trzsz file transfer
  3. Attacker supplies a traversal filename (e.g., ../../.bashrc, ../escaped.txt)
  4. User accepts the transfer and selects a download directory
  5. File is written outside the selected directory, potentially overwriting sensitive files

Affected components:

  • src/app/server/zmodem.js - prepareReceiveFile() at line 736
  • src/app/server/trzsz.js - getUniqueFilePath() at line 559, openSaveFile() callback, and savedFilePaths mapping

Patches

  • https://github.com/electerm/electerm/commit/fde153d677a170c5816368f6586647f3af4ef284

Workarounds

If upgrading is not immediately possible, users can mitigate this vulnerability by:

  1. Only connecting to trusted SSH servers
  2. Rejecting or canceling any incoming Zmodem or Trzsz file transfers from untrusted sources
  3. Avoiding the use of Zmodem (sz/rz) and Trzsz (trz/tsz) commands on untrusted servers

CVSS v3:

  • Severity: High
  • Score: 7.1
  • AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L

Frequently Asked Questions

A security vulnerability is a weakness in software, hardware, or configuration that can be exploited to compromise confidentiality, integrity, or availability. Many vulnerabilities are tracked as CVEs (Common Vulnerabilities and Exposures), which provide a standardized identifier so teams can coordinate patching, mitigation, and risk assessment across tools and vendors.

CVSS (Common Vulnerability Scoring System) estimates technical severity, but it doesn't automatically equal business risk. Prioritize using context like internet exposure, affected asset criticality, known exploitation (proof-of-concept or in-the-wild), and whether compensating controls exist. A "Medium" CVSS on an exposed, production system can be more urgent than a "Critical" on an isolated, non-production host.

A vulnerability is the underlying weakness. An exploit is the method or code used to take advantage of it. A zero-day is a vulnerability that is unknown to the vendor or has no publicly available fix when attackers begin using it. In practice, risk increases sharply when exploitation becomes reliable or widespread.

Recurring findings usually come from incomplete Asset Discovery, inconsistent patch management, inherited images, and configuration drift. In modern environments, you also need to watch the software supply chain: dependencies, containers, build pipelines, and third-party services can reintroduce the same weakness even after you patch a single host. Unknown or unmanaged assets (often called Shadow IT) are a common reason the same issues resurface.

Use a simple, repeatable triage model: focus first on externally exposed assets, high-value systems (identity, VPN, email, production), vulnerabilities with known exploits, and issues that enable remote code execution or privilege escalation. Then enforce patch SLAs and track progress using consistent metrics so remediation is steady, not reactive.

SynScan combines attack surface monitoring and continuous security auditing to keep your inventory current, flag high-impact vulnerabilities early, and help you turn raw findings into a practical remediation plan.