CVE-2026-41501
CriticalSummary
In the electerm client prior to version 3.3.8, a command injection vulnerability exists that allows an attacker to append malicious version strings into an exec command without validation. This issue has been patched in version 3.3.8.
Risk Assessment
This vulnerability could lead to unauthorized file deletion on the victim's system, posing a serious threat to data integrity.
Recommendation
It is recommended to update the electerm client to version 3.3.8 or later to mitigate this vulnerability.
Original NVD description (English source)
electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.3.8, a command injection vulnerability exists in github.com/elcterm/electerm/npm/install.js:130. The runLinux() function appends attacker-controlled remote version strings directly into an exec("rm -rf ...") command without validation. This issue has been patched in version 3.3.8.

