CVE-2026-41500
CriticalSummary
In the electerm client prior to version 3.3.8, a command injection vulnerability allows an attacker to inject malicious code into the exec command. This issue has been patched in version 3.3.8.
Risk Assessment
This vulnerability could lead to unauthorized command execution on the system, posing a serious security risk to the organization.
Recommendation
It is recommended to update electerm to version 3.3.8 or later to mitigate this vulnerability.
Original NVD description (English source)
electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.3.8, a command injection vulnerability exists in github.com/elcterm/electerm/npm/install.js:150. The runMac() function appends attacker-controlled remote releaseInfo.name directly into an exec("open ...") command without validation. This issue has been patched in version 3.3.8.

