CVE Catalog

CVE-2026-41501

Critical
Published: Translated: NVD NIST

Summary

In the electerm client prior to version 3.3.8, a command injection vulnerability exists that allows an attacker to append malicious version strings into an exec command without validation. This issue has been patched in version 3.3.8.

Risk Assessment

This vulnerability could lead to unauthorized file deletion on the victim's system, posing a serious threat to data integrity.

Recommendation

It is recommended to update the electerm client to version 3.3.8 or later to mitigate this vulnerability.

Original NVD description (English source)

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.3.8, a command injection vulnerability exists in github.com/elcterm/electerm/npm/install.js:130. The runLinux() function appends attacker-controlled remote version strings directly into an exec("rm -rf ...") command without validation. This issue has been patched in version 3.3.8.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS