CVE-2026-41501 CRITICAL

CVE-2026-41501: electerm has Command Injection Vulnerability via runLinux function

Vendor Electerm
Product electerm
Weakness CWE-77
Published May 8, 2026
Last update May 8, 2026

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.3.8, a command injection vulnerability exists in github.com/elcterm/electerm/npm/install.js:130. The runLinux() function appends attacker-controlled remote version strings directly into an exec("rm -rf ...") command without validation. This issue has been patched in version 3.3.8.

Key dates

02Disclosure timeline

May 8, 2026 CVE published
May 8, 2026 Record updated