VYPR
Critical severity9.8GHSA Advisory· Published May 8, 2026· Updated May 8, 2026

CVE-2026-41500

CVE-2026-41500

Description

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.3.8, a command injection vulnerability exists in github.com/elcterm/electerm/npm/install.js:150. The runMac() function appends attacker-controlled remote releaseInfo.name directly into an exec("open ...") command without validation. This issue has been patched in version 3.3.8.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
electermnpm
< 3.3.83.3.8

Affected products

3
  • Electerm/ElectermGHSA2 versions
    < 3.3.8+ 1 more
    • (no CPE)range: < 3.3.8
    • cpe:2.3:a:electerm_project:electerm:*:*:*:*:*:*:*:*range: <3.3.8
  • ghsa-coords
    Range: < 3.3.8

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.