CRITICAL🇵🇱 Wersja polska

CVE-2026-41500

CVSS 9.8v3.1pub. 2026-05-08

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.3.8, a command injection vulnerability exists in github.com/elcterm/electerm/npm/install.js:150. The runMac() function appends attacker-controlled remote releaseInfo.name directly into an exec("open ...") command without validation. This issue has been patched in version 3.3.8.

🤖 AI Analysis
How it works

The runMac() function in the npm/install.js file (line 150) directly concatenates the value of the releaseInfo.name field — controlled by an attacker and retrieved from a remote source — to the exec("open ...") command without any sanitization or validation. An attacker can craft the releaseInfo.name value to inject additional system commands that will be executed in the context of the application process. It is sufficient for the application to retrieve malicious data from a spoofed or compromised update server.

Impact

An attacker can remotely execute arbitrary system commands on the victim's machine without authentication, leading to complete compromise of confidentiality, integrity, and availability of the system (full RCE).

Mitigation & patch

Update electerm to version 3.3.8 or newer, in which the vulnerability has been removed. Patch available in the official GitHub repository of the project (tag v3.3.8).

Who is affected

Electerm Project electerm — all versions before 3.3.8

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Electerm Project Electerm

    APP
    Electerm Project
    < 3.3.8
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-45353CRITICAL9.3PL ✓ten sam produkt

Krytyczna podatność w kliencie electerm (wersje 3.0.6–3.8.8)

CVE-2026-41501CRITICAL9.8PL ✓ten sam produkt

Command injection w Electerm — wstrzyknięcie polecenia przez zdalny ciąg wersji

CVE-2026-43941CRITICAL9.6PL ✓ten sam produkt

RCE w Electerm — brak walidacji protokołu URL w handlerze hiperłączy

CVE-2026-43944CRITICAL9.4PL ✓ten sam produkt

RCE w electerm — wykonanie kodu przez deep links i spreparowane skróty

CVE-2020-23256CRITICAL9.8ten sam produkt

An issue was discovered in Electerm 1.3.22, allows attackers to execute arbitrary code via unverified request ...