electerm

v3.9.5 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 22d CLI & Terminal

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs

Topics

ai electerm electron file-manager ftp linux-app

+12 more

macos-app mcp rdp serialport sftp spice ssh telnet cli vnc windows-app zmodem

Affected surfaces

auth rce_ssrf

ReleasePort's take

Moderate signal

editorial:auto 13d

Version v3.9.5 of electerm disables unsafe properties in deep‑link handling and prevents the renderer from accessing process.env.

Why it matters: Patch to v3.9.5 immediately to block malicious deep‑link exploitation and eliminate renderer access to environment variables.

Summary

AI summary

Security fixes disallow unsafe deep‑link props and hide process.env from the renderer.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	Security: disallow unsafe props when opening deep links. Security: disallow unsafe props when opening deep links. Source: llm_adapter@2026-05-21 Confidence: low	—
Security	Medium	Security: do not expose `process.env` to the renderer process. Security: do not expose `process.env` to the renderer process. Source: llm_adapter@2026-05-21 Confidence: low	—
Feature
Feature	Medium	Add Unix timestamp tooltip for terminal time number selections. Add Unix timestamp tooltip for terminal time number selections. Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	Support connection hopping in RDP session. Support connection hopping in RDP session. Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	Add option to skip SSL verification in WebDAV sync settings and support using system CA. Add option to skip SSL verification in WebDAV sync settings and support using system CA. Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	Enhance NSIS installer to preserve shortcuts during upgrades. Enhance NSIS installer to preserve shortcuts during upgrades. Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	UX: no longer require entering an AI API key in the UI. UX: no longer require entering an AI API key in the UI. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Improve terminal connection failed message UI. Improve terminal connection failed message UI. Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	When a widget fails to start, clean the process and show a proper error message. When a widget fails to start, clean the process and show a proper error message. Source: llm_adapter@2026-05-21 Confidence: high	—
Refactor	Medium	UI: improve bookmark control icons and use a proper icon for keep-alive. UI: improve bookmark control icons and use a proper icon for keep-alive. Source: llm_adapter@2026-05-21 Confidence: low	—

Full changelog

New features/UI/Updates

Add Unix timestamp tooltip for terminal time number selections.
Support connection hopping in RDP session.
Add option to skip SSL verification in WebDAV sync settings and support using system CA.
Improve terminal connection failed message UI.
UI: improve bookmark control icons and use a proper icon for keep-alive.
Enhance NSIS installer to preserve shortcuts during upgrades.
UX: no longer require entering an AI API key in the UI.

Bug fixes & Security

Security: disallow unsafe props when opening deep links.
Security: do not expose process.env to the renderer process.
When a widget fails to start, clean the process and show a proper error message.

新功能 / 界面 / 更新

为终端时间数字选择添加 Unix 时间戳提示。
支持 RDP 会话中的连接跳转，改善 RDP 连通性。
在 WebDAV 同步设置中新增跳过 SSL 验证选项，并支持使用系统 CA。
改善终端连接失败提示的 UI 展示。
界面：优化书签控制图标，使用合适的 keep-alive 图标。
增强 NSIS 安装程序在升级时保留快捷方式（arm/x64）。
用户体验：不再需要在界面中输入 AI API Key。

Bug 修复与安全性

安全：打开深度链接时禁止不安全的 props。
安全：不再向渲染进程暴露 process.env。
当 widget 启动失败时，清理进程并显示合适的错误信息。

Download下载: https://electerm.html5beta.com

Security Fixes

Disallowed unsafe props when opening deep links
Process.env no longer exposed to the renderer process

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track electerm

Get notified when new releases ship.

About electerm

Terminal/ssh/sftp/ftp/telnet/serialport/RDP/VNC/Spice client(linux, mac, win)

All releases →

Related context

Related tools

Earlier breaking changes

v3.11.0 Deprecates permissive CORS on MCP server; adds optional API key authentication.