Description
electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.3.8, a command injection vulnerability exists in github.com/elcterm/electerm/npm/install.js:150. The runMac() function appends attacker-controlled remote releaseInfo.name directly into an exec("open ...") command without validation. This issue has been patched in version 3.3.8.
Published: 2026-05-08
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A command injection flaw exists in electerm's install.js. The runMac() function concatenates attacker‑controlled releaseInfo.name into a shell command executed via exec('open ...'), without any validation or sanitization. This flaw permits an attacker to inject arbitrary shell commands, giving them the ability to run malicious code on the victim's desktop system. The weakness falls under CWE-77, Command Injection.

Affected Systems

The issue affects every installation of electerm 3.3.8 and earlier. It is specific to the open‑source terminal client electerm, which supports SSH, SFTP, Telnet, and several other protocols. Users must update to a version newer than 3.3.8 to eliminate the vulnerability, as the patch is included in the v3.3.8 release.

Risk and Exploitability

With a CVSS Base Score of 9.8 the vulnerability is considered Critical. EPSS data is not available, indicating that the exploitation probability is unmeasured but likely behaves like other local command injection bugs. The vulnerability is not listed in the CISA KEV catalog at this time. Attackers would need control over the releaseInfo.name input, which can be achieved by hosting a malicious release on a node repository or by compromising the client’s plugin installation mechanism; once the name is supplied, arbitrary shell commands are executed on the client, potentially compromising the machine and any credentials stored by electerm.

Generated by OpenCVE AI on May 8, 2026 at 05:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade electerm to version 3.3.8 or later, which removes the vulnerable code.
  • If an upgrade is not possible, modify the install.js file where runMac() builds the command to validate or escape releaseInfo.name before passing it to exec.
  • As a temporary defense, disable automatic execution of the runMac() function or restrict the sources from which plugins are downloaded, ensuring only trusted releases are used.

Generated by OpenCVE AI on May 8, 2026 at 05:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wxw2-rwmh-vr8f electerm: electerm_install_script_CommandInjection Vulnerability Report
History

Fri, 08 May 2026 04:00:00 +0000

Type Values Removed Values Added
Description electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.3.8, a command injection vulnerability exists in github.com/elcterm/electerm/npm/install.js:150. The runMac() function appends attacker-controlled remote releaseInfo.name directly into an exec("open ...") command without validation. This issue has been patched in version 3.3.8.
Title electerm has Command Injection Vulnerability via runMac function
Weaknesses CWE-77
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T02:53:44.494Z

Reserved: 2026-04-20T18:18:50.680Z

Link: CVE-2026-41500

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T04:16:17.720

Modified: 2026-05-08T04:16:17.720

Link: CVE-2026-41500

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T05:30:46Z

Weaknesses