CVE-2026-41500
Analyzed Analyzed - Analysis Complete
Command Injection in Electerm Terminal Client

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.3.8, a command injection vulnerability exists in github.com/elcterm/electerm/npm/install.js:150. The runMac() function appends attacker-controlled remote releaseInfo.name directly into an exec("open ...") command without validation. This issue has been patched in version 3.3.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-41500
EUVD
EUVD-2026-28496
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
electerm_project electerm to 3.3.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41500 is a critical command injection vulnerability in the electerm npm package affecting versions 3.2.0 and earlier.

The vulnerability exists in the install.js file, specifically in the runMac() function, which appends attacker-controlled remote release metadata (such as releaseInfo.name) directly into an exec("open ...") command without validation.

This improper handling allows an attacker who controls the update server's metadata to execute arbitrary system commands on the victim's machine.

The issue has been patched in versions greater than 3.2.0.

Impact Analysis

This vulnerability can have severe impacts including unauthorized execution of arbitrary system commands.

An attacker exploiting this flaw can modify local files or escalate compromise of development or runtime assets on the affected system.

The vulnerability affects users who run npm install -g electerm on macOS, potentially leading to full compromise of confidentiality, integrity, and availability of the system.

The CVSS score of 9.8 reflects the high severity and impact of this vulnerability.

Detection Guidance

There is no specific information provided about detection methods or commands to identify this vulnerability on your network or system.

Mitigation Strategies

To mitigate this critical command injection vulnerability in electerm, you should upgrade electerm to a patched version greater than 3.2.0, preferably version 3.3.8 or later where the issue has been fixed.

Users running electerm via npm on macOS should ensure they update by running the patched installation command, such as `npm install -g electerm` to get the fixed version.

No workarounds are available, so upgrading is the only effective immediate mitigation.

Compliance Impact

The vulnerability is a critical command injection flaw that allows attackers to execute arbitrary system commands, potentially modifying local files or escalating compromise of development or runtime assets.

Such a vulnerability could impact compliance with standards like GDPR or HIPAA because it threatens the confidentiality, integrity, and availability of data and systems.

However, there is no explicit information in the provided resources about direct effects or assessments related to compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41500. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart