electerm unauth command injection (CVE-2026-41500)

Patch now - CVE-2026-41500 is a critical unauthenticated command injection vulnerability in electerm prior to version 3.3.8 that lets remote attackers execute arbitrary commands on macOS systems. Patched in version 3.3.8 - update immediately.

Overview

CVE-2026-41500 is a command injection vulnerability in the open-source terminal/SSH/SFTP client electerm. The flaw exists in the runMac() function within github.com/elcterm/electerm/npm/install.js:150. This function constructs an exec("open ...") command using attacker-controlled releaseInfo.name data without any sanitization or validation. An attacker can manipulate the release name to inject arbitrary shell commands that execute with the privileges of the user running the electerm installation process.

The vulnerability requires no authentication, no user interaction, and can be exploited over the network - making it trivially exploitable once an attacker can control the release metadata that electerm fetches.

Impact

A successful exploit allows a remote, unauthenticated attacker to execute arbitrary shell commands on any macOS system running electerm version 3.3.7 or earlier. The attacker can achieve the same privileges as the user running the electerm installation. This could lead to complete system compromise, including data theft, installation of malware, or lateral movement within the victim’s network.

The CVSS score of 9.8 (Critical) reflects the minimal barriers to exploitation: network-based attack vector, low complexity, no privileges required, and no user interaction needed.

Affected Versions

• electerm versions prior to 3.3.8 are vulnerable
• electerm version 3.3.8 contains the fix

Remediation

Patch Now - Upgrade electerm to version 3.3.8 or later immediately. This version strips the name field from GitHub release data before passing it to the exec function, preventing command injection.

Mitigation Steps

1. Update electerm to the latest patched version (3.3.8+)
2. If immediate patching is not possible, restrict outbound network access from systems running electerm to prevent fetching release metadata from untrusted sources
3. Monitor for suspicious child processes spawned by electerm, particularly those involving bash, osascript, or unexpected open commands with unusual arguments

Related Threats

Attack patterns similar to this command injection - where installer scripts trust external data - have been observed in recent supply-chain attacks. For example, the GlassWorm Attack Uses Stolen GitHub Tokens to force-push malware into Python repositories by abusing trusted update channels.

Security Insight

This vulnerability represents a fundamental trust failure in how open-source tools handle external data during installation. The install.js script assumes that GitHub release names are safe for shell execution - an assumption that has burned countless projects. This pattern of trusting metadata from package registries or release APIs without sanitization is a recurring weakness in the open-source supply chain. Developers building installation routines should treat all external strings as attacker-controlled and use structured APIs (not shell commands) to handle them.

Further Reading

• GlassWorm Attack Uses Stolen GitHub Tokens to
• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs