CRITICAL🇵🇱 Wersja polska

CVE-2026-41501

CVSS 9.8v3.1pub. 2026-05-08

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.3.8, a command injection vulnerability exists in github.com/elcterm/electerm/npm/install.js:130. The runLinux() function appends attacker-controlled remote version strings directly into an exec("rm -rf ...") command without validation. This issue has been patched in version 3.3.8.

🤖 AI Analysis
How it works

The runLinux() function in the npm/install.js file (line 130) retrieves a remote version string and inserts it directly into the exec("rm -rf ...") command without any validation or sanitization. An attacker can provide a crafted version string containing additional system commands that will be executed in the context of the Electerm process. Since the attack vector is network-based, it does not require user interaction or any privileges, making this vulnerability particularly dangerous.

Impact

An attacker can execute arbitrary system commands on the victim's machine, leading to complete compromise of confidentiality, integrity, and availability of the system (RCE). Possible consequences include data theft, malware installation, and complete host compromise.

Mitigation & patch

Electerm should be updated to version 3.3.8 or newer, where the issue has been fixed. The patch is available in the vendor's GitHub repository (commit 59708b38c8a52f5db59d7d4eff98e31d573128ee) and in release v3.3.8.

Who is affected

Electerm (electerm-project/electerm) in all versions before 3.3.8

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Electerm Project Electerm

    APP
    Electerm Project
    < 3.3.8
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-45353CRITICAL9.3PL ✓ten sam produkt

Krytyczna podatność w kliencie electerm (wersje 3.0.6–3.8.8)

CVE-2026-41500CRITICAL9.8PL ✓ten sam produkt

Command injection w electerm — wykonanie kodu przez złośliwe releaseInfo.name

CVE-2026-43941CRITICAL9.6PL ✓ten sam produkt

RCE w Electerm — brak walidacji protokołu URL w handlerze hiperłączy

CVE-2026-43944CRITICAL9.4PL ✓ten sam produkt

RCE w electerm — wykonanie kodu przez deep links i spreparowane skróty

CVE-2020-23256CRITICAL9.8ten sam produkt

An issue was discovered in Electerm 1.3.22, allows attackers to execute arbitrary code via unverified request ...