What is the CVSS score of CVE-2026-41500?

CVE-2026-41500 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.3%.

Which versions of electerm are affected by CVE-2026-41500?

CVE-2026-41500 is a critical command injection vulnerability in the electerm npm package that allows unauthenticated remote code execution during global installation on macOS systems.. A patch is available.

electerm CVE-2026-41500

EUVD-2026-28496 CRITICAL

Command Injection (CWE-77)

2026-05-08 GitHub_M

GHSA-wxw2-rwmh-vr8f

Command Injection Node.js

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch available

May 08, 2026 - 05:01 EUVD

Source Code Evidence Fetched

May 08, 2026 - 04:30 vuln.today

Analysis Generated

May 08, 2026 - 04:30 vuln.today

CVE Published

May 08, 2026 - 02:53 nvd

CRITICAL 9.8

DescriptionNVD

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.3.8, a command injection vulnerability exists in github.com/elcterm/electerm/npm/install.js:150. The runMac() function appends attacker-controlled remote releaseInfo.name directly into an exec("open ...") command without validation. This issue has been patched in version 3.3.8.

AnalysisAI

Command injection in electerm's npm install script allows arbitrary command execution on macOS systems during 'npm install -g electerm'. The runMac() function in install.js:150 passes attacker-controlled remote release metadata (releaseInfo.name) directly to exec('open ...') without validation, enabling remote code execution as the installing user. …

RemediationAI

Within 24 hours: Identify all macOS systems with electerm installed via 'npm list -g electerm' and document versions; send security alert to all developers prohibiting new installations. Within 7 days: Upgrade all affected systems to electerm version 3.3.8 or later via 'npm install -g electerm@3.3.8'; verify installation by running 'npm list -g electerm' to confirm version 3.3.8+. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-41500 vulnerability details – vuln.today

Back

electerm CVE-2026-41500

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code