CVE Catalog

CVE-2026-41500

Critical
Published: Translated: NVD NIST

Summary

In the electerm client prior to version 3.3.8, a command injection vulnerability allows an attacker to inject malicious code into the exec command. This issue has been patched in version 3.3.8.

Risk Assessment

This vulnerability could lead to unauthorized command execution on the system, posing a serious security risk to the organization.

Recommendation

It is recommended to update electerm to version 3.3.8 or later to mitigate this vulnerability.

Original NVD description (English source)

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.3.8, a command injection vulnerability exists in github.com/elcterm/electerm/npm/install.js:150. The runMac() function appends attacker-controlled remote releaseInfo.name directly into an exec("open ...") command without validation. This issue has been patched in version 3.3.8.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS