CVE-2026-41500
CRITICALelecterm has Command Injection Vulnerability via runMac function
Title source: cnaDescription
electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.3.8, a command injection vulnerability exists in github.com/elcterm/electerm/npm/install.js:150. The runMac() function appends attacker-controlled remote releaseInfo.name directly into an exec("open ...") command without validation. This issue has been patched in version 3.3.8.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/electerm/electerm/security/advisories/GHSA-wxw2-rwmh-vr8f
X_Refsource_Misc x_refsource_misc
https://github.com/electerm/electerm/commit/59708b38c8a52f5db59d7d4eff98e31d573128ee
X_Refsource_Misc x_refsource_misc
https://github.com/electerm/electerm/releases/tag/v3.3.8
Scores
CVSS v3
9.8
EPSS
0.0019
EPSS Percentile
41.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-77
Status
published
Products (3)
electerm/electerm
< 3.3.8
electerm_project/electerm
< 3.3.8
npm/electerm
0 - 3.3.8npm
Published
May 08, 2026
Tracked Since
May 08, 2026