Skip to main content

electerm CVE-2026-41501

| EUVDEUVD-2026-28497 CRITICAL
Command Injection (CWE-77)
2026-04-24 https://github.com/electerm/electerm GHSA-8x35-hph8-37hq
9.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Apr 24, 2026 - 21:00 vuln.today
Analysis Generated
Apr 24, 2026 - 20:45 vuln.today
Patch released
Apr 24, 2026 - 20:45 nvd
Patch available
CVE Published
Apr 24, 2026 - 20:45 nvd
CRITICAL 9.8

DescriptionGitHub Advisory

Impact

_What kind of vulnerability is it? Who is impacted?_

Command Injection vulnerabilities in electerm:

A command injection vulnerability exists in github.com/elcterm/electerm/npm/install.js:130. The runLinux() function appends attacker-controlled remote version strings directly into an exec("rm -rf ...") command without validation.

Who is impacted: Users who run npm install -g electerm in Linux. An attacker who can control the remote release metadata (version string or release name) served by the project's update server could execute arbitrary system commands, tamper local files, and escalate compromise of development/runtime assets.

---

Patches

_Has the problem been patched? What versions should users upgrade to?_

Fixed in 59708b38c8a52f5db59d7d4eff98e31d573128ee, user no need to upgrade, the new version already published in npm

---

Workarounds

_Is there a way for users to fix or remediate the vulnerability without upgrading?_

no

AnalysisAI

Remote code execution in electerm's npm install script allows unauthenticated attackers to execute arbitrary system commands on Linux systems during package installation. The install.js script unsafely concatenates attacker-controlled version strings from the project's update server directly into an 'rm -rf' command, enabling command injection. This critically affects users installing electerm via 'npm install -g electerm' on Linux, as a compromised update server or man-in-the-middle attacker could inject malicious commands during the installation process. The vulnerability has been patched in commit 59708b38c8, and the fixed version is already published to npm.

Technical ContextAI

This is a classic command injection vulnerability (CWE-77) in a Node.js package's installation script. The vulnerable code path exists in github.com/elcterm/electerm/npm/install.js at line 130, specifically in the runLinux() function. During npm installation, this script fetches release metadata (version strings or release names) from the electerm update server and directly concatenates these values into shell commands executed via Node's child_process.exec() method, specifically an 'rm -rf' command for cleanup operations. Because the remote version strings are not validated or sanitized before being passed to the shell, an attacker who controls the update server response or intercepts the network traffic can inject arbitrary shell metacharacters and commands. The pkg:npm/electerm CPE indicates this affects the npm package distribution channel, making the attack surface any Linux system performing fresh installations or updates of the electerm package.

RemediationAI

Update to the latest version of electerm from npm, which includes the fix from commit 59708b38c8a52f5db59d7d4eff98e31d573128ee. The vendor states the patched version has already been published to the npm registry, so running 'npm update -g electerm' or 'npm install -g electerm@latest' will install the secure version. Verify the installed version includes the patch by checking the package's git commit hash or installation date post-fix publication. The vendor explicitly states no workarounds are available, so upgrading is the only remediation path. Organizations should audit CI/CD pipelines, container base images, and developer environments to ensure they pull the patched version. For air-gapped environments or situations where immediate updates are not feasible, implement network controls to ensure npm installations only occur over verified, encrypted channels to trusted npm registries, and consider using package lock files with hash verification to prevent installation of compromised packages. Review the GitHub advisory at https://github.com/electerm/electerm/security/advisories/GHSA-8x35-hph8-37hq and the patch commit at https://github.com/electerm/electerm/commit/59708b38c8a52f5db59d7d4eff98e31d573128ee for technical details.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Share

CVE-2026-41501 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy