What is the CVSS score of EUVD-2026-28497?

EUVD-2026-28497 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.3%.

Which versions of electerm are affected by EUVD-2026-28497?

CVE-2026-41501 is a critical remote code execution vulnerability in electerm's installation script that allows unauthenticated attackers to execute arbitrary commands on Linux systems during npm…. A patch is available.

electerm EUVD-2026-28497

| CVE-2026-41501 CRITICAL

Command Injection (CWE-77)

2026-04-24 https://github.com/electerm/electerm

GHSA-8x35-hph8-37hq

Command Injection Node.js

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Apr 24, 2026 - 21:00 vuln.today

Analysis Generated

Apr 24, 2026 - 20:45 vuln.today

Patch released

Apr 24, 2026 - 20:45 nvd

Patch available

CVE Published

Apr 24, 2026 - 20:45 nvd

CRITICAL 9.8

DescriptionNVD

Impact

_What kind of vulnerability is it? Who is impacted?_

Command Injection vulnerabilities in electerm:

A command injection vulnerability exists in github.com/elcterm/electerm/npm/install.js:130. The runLinux() function appends attacker-controlled remote version strings directly into an exec("rm -rf ...") command without validation.

Who is impacted: Users who run npm install -g electerm in Linux. An attacker who can control the remote release metadata (version string or release name) served by the project's update server could execute arbitrary system commands, tamper local files, and escalate compromise of development/runtime assets.

---

Patches

_Has the problem been patched? What versions should users upgrade to?_

Fixed in 59708b38c8a52f5db59d7d4eff98e31d573128ee, user no need to upgrade, the new version already published in npm

---

Workarounds

_Is there a way for users to fix or remediate the vulnerability without upgrading?_

AnalysisAI

Remote code execution in electerm's npm install script allows unauthenticated attackers to execute arbitrary system commands on Linux systems during package installation. The install.js script unsafely concatenates attacker-controlled version strings from the project's update server directly into an 'rm -rf' command, enabling command injection. …

RemediationAI

Within 24 hours: Inventory all systems with electerm installed globally (npm list -g electerm) and revoke any credentials or access from affected machines pending remediation. Within 7 days: Update electerm to the patched version (commit 59708b38c8 or later) via 'npm install -g electerm@latest' on all affected systems, and verify installation integrity. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-28497 vulnerability details – vuln.today

Back

electerm EUVD-2026-28497

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

Impact

Patches

Workarounds

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code