Critical severity9.8GHSA Advisory· Published May 8, 2026· Updated May 8, 2026
CVE-2026-41500
CVE-2026-41500
Description
electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.3.8, a command injection vulnerability exists in github.com/elcterm/electerm/npm/install.js:150. The runMac() function appends attacker-controlled remote releaseInfo.name directly into an exec("open ...") command without validation. This issue has been patched in version 3.3.8.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
electermnpm | < 3.3.8 | 3.3.8 |
Affected products
3Patches
Vulnerability mechanics
References
5- github.com/electerm/electerm/commit/59708b38c8a52f5db59d7d4eff98e31d573128eenvdPatchWEB
- github.com/electerm/electerm/security/advisories/GHSA-wxw2-rwmh-vr8fnvdPatchVendor AdvisoryWEB
- github.com/advisories/GHSA-wxw2-rwmh-vr8fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-41500ghsaADVISORY
- github.com/electerm/electerm/releases/tag/v3.3.8nvdRelease NotesWEB
News mentions
0No linked articles in our index yet.