CVE-2026-41500
Command Injection in Electerm Terminal Client
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| electerm_project | electerm | to 3.3.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41500 is a critical command injection vulnerability in the electerm npm package affecting versions 3.2.0 and earlier.
The vulnerability exists in the install.js file, specifically in the runMac() function, which appends attacker-controlled remote release metadata (such as releaseInfo.name) directly into an exec("open ...") command without validation.
This improper handling allows an attacker who controls the update server's metadata to execute arbitrary system commands on the victim's machine.
The issue has been patched in versions greater than 3.2.0.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized execution of arbitrary system commands.
An attacker exploiting this flaw can modify local files or escalate compromise of development or runtime assets on the affected system.
The vulnerability affects users who run npm install -g electerm on macOS, potentially leading to full compromise of confidentiality, integrity, and availability of the system.
The CVSS score of 9.8 reflects the high severity and impact of this vulnerability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There is no specific information provided about detection methods or commands to identify this vulnerability on your network or system.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this critical command injection vulnerability in electerm, you should upgrade electerm to a patched version greater than 3.2.0, preferably version 3.3.8 or later where the issue has been fixed.
Users running electerm via npm on macOS should ensure they update by running the patched installation command, such as `npm install -g electerm` to get the fixed version.
No workarounds are available, so upgrading is the only effective immediate mitigation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a critical command injection flaw that allows attackers to execute arbitrary system commands, potentially modifying local files or escalating compromise of development or runtime assets.
Such a vulnerability could impact compliance with standards like GDPR or HIPAA because it threatens the confidentiality, integrity, and availability of data and systems.
However, there is no explicit information in the provided resources about direct effects or assessments related to compliance with these regulations.