CVE 9.8 CRITICAL

electerm has Command Injection Vulnerability via runMac function_CVE-2026-41500

May 7, 2026 invoker category_cve

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.3.8, a command injection vulnerability exists in github.com/elcterm/electerm/npm/install.js:150. The runMac() function appends attacker-controlled remote releaseInfo.name directly into an exec("open ...") command without validation. This issue has been patched in version 3.3.8.

AI Analysis

Command injection vulnerability in electerm via the runMac function

Basic Information

ID CVE-2026-41500

Source GitHub_M

Published May 8, 2026 at 02:53

Affected Product

Vendor electerm

Product electerm

Version < 3.3.8

Affected Versions electerm electerm < 3.3.8

CWE Classification

CWE-77

AI Assessment

AI Score 9.8 / 10

AI Severity Critical

Vendor electerm

Product electerm

Version < 3.3.8

References

{
    "lastseen": "",
    "description": "electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.3.8, a command injection vulnerability exists in github.com/elcterm/electerm/npm/install.js:150. The runMac() function appends attacker-controlled remote releaseInfo.name directly into an exec(\"open ...\") command without validation. This issue has been patched in version 3.3.8.",
    "published": "2026-05-08T02:53:44.494Z",
    "modified": "2026-05-08T02:53:44.494Z",
    "type": "cve",
    "title": "electerm has Command Injection Vulnerability via runMac function",
    "source": "GitHub_M",
    "references": "https://github.com/electerm/electerm/security/advisories/GHSA-wxw2-rwmh-vr8f\nhttps://github.com/electerm/electerm/commit/59708b38c8a52f5db59d7d4eff98e31d573128ee\nhttps://github.com/electerm/electerm/releases/tag/v3.3.8",
    "id": "CVE-2026-41500",
    "bulletinFamily": "",
    "cwe": [
        "CWE-77"
    ],
    "cvelist": null,
    "sourceData": "electerm electerm < 3.3.8",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "electerm",
    "version": "< 3.3.8",
    "vendor": "electerm",
    "ai_description": "Command injection vulnerability in electerm via the runMac function",
    "ai_severity": "Critical",
    "ai_vendor": "electerm",
    "ai_product": "electerm",
    "ai_version": "< 3.3.8",
    "ai_score": 9.8
}

💭 Join the Security Discussion ❌ Cancel Reply