CVE-2026-41501
Command Injection in Electerm Terminal Client
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| electerm_project | electerm | to 3.3.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a command injection flaw in the Electerm npm package, specifically in the runLinux() function located in the install.js file. The function appends attacker-controlled remote version strings directly into a system command (exec("rm -rf ...")) without proper validation. This allows an attacker who can manipulate the remote release metadata, such as the version string or release name, to execute arbitrary system commands on the affected Linux system.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker to execute arbitrary commands on your system, potentially leading to modification or deletion of local files, system compromise, and full control over the affected machine. The severity is critical, with a CVSS score of 9.8, indicating a high impact on confidentiality, integrity, and availability of your system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is related to a command injection in the Electerm npm package during the execution of the runLinux() function in install.js. Detection involves identifying if an affected version of Electerm (prior to 3.3.8) is installed on your system.
- Check the installed Electerm version by running: npm list -g electerm
- Alternatively, check the version directly with: electerm --version (if the command is available)
Since the vulnerability involves execution of malicious commands via manipulated remote version strings during npm install, monitoring for unusual or unexpected executions of rm -rf commands or suspicious npm install activity on Linux systems may help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Electerm to a patched version, specifically version 3.3.8 or later, where the vulnerability has been fixed.
Users running npm install -g electerm on Linux systems should ensure they do not use vulnerable versions prior to 3.3.8.
No workarounds are available, so upgrading is the only effective immediate action.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a critical command injection flaw that allows an attacker to execute arbitrary system commands, potentially leading to unauthorized access, modification, or deletion of data.
Such unauthorized access and data manipulation could impact compliance with standards like GDPR and HIPAA, which require protection of data confidentiality, integrity, and availability.
If exploited, this vulnerability could lead to breaches of sensitive information or system compromise, thereby violating regulatory requirements for data security and privacy.
Therefore, organizations using vulnerable versions of electerm prior to 3.3.8 may face compliance risks until they apply the patch.