electerm unauthenticated RCE (CVE-2026-41501)

Patch now - CVE-2026-41501 is a critical command injection vulnerability in electerm versions prior to 3.3.8 that grants unauthenticated remote code execution. A patch is available in version 3.3.8 - update immediately.

Overview

CVE-2026-41501 affects the open-source terminal client electerm, which provides SSH, SFTP, RDP, VNC, and serial port connectivity. The flaw exists in the npm installation script at /github.com/elcterm/electerm/npm/install.js line 130. The runLinux() function appends attacker-controlled remote version strings directly into an exec("rm -rf ...") command without any input validation or sanitization.

An unauthenticated attacker can manipulate the version response from a remote source to inject arbitrary shell commands. This command injection executes with the privileges of the user running the electerm installation or update process, giving the attacker full control over the affected system. The CVSS score of 9.8 reflects the network-based attack vector, low complexity, and the fact that no user interaction or authentication is required to exploit the flaw.

Impact

On Linux systems running electerm versions 3.3.7 and earlier, an attacker who controls a remote version endpoint can inject commands that:

• Execute arbitrary shell commands under the victim’s user context
• Install malware, backdoors, or cryptocurrency miners
• Exfiltrate SSH keys, credentials, and other sensitive files from the electerm profile directory
• Pivot to other systems the user has credentials or SSH access for

Because electerm is commonly used by developers and system administrators, a compromised installation could expose access to production servers, development environments, and infrastructure management consoles.

Remediation

• Upgrade electerm to version 3.3.8 or later immediately. This version patches the injection point in the installation script.
• Verify your current version by running electerm --version or checking the application’s About dialog.
• If you cannot upgrade immediately, avoid running npm install or update commands for electerm from untrusted or public network environments.
• Review your systems for signs of compromise if electerm was installed or updated from an untrusted network segment.

Related Coverage

• CISA Adds Actively Exploited Linux Root Bug CVE-2026-31
• Weekly Threat Roundup: Apache & cPanel Zero-Days (Apr 27 - May 3)
• GlassWorm Attack Uses Stolen GitHub Tokens to

Security Insight

This vulnerability is a textbook example of why all scripting logic that processes external input must be treated as untrusted. The runLinux() function’s blind trust in a version string mirrors the mistake that led to the infamous npm package.json payload injection attacks of 2018, where build scripts executed attacker-controlled fields. For open-source tools, CI/CD pipelines and npm install hooks are especially high-risk attack surfaces because they run without user oversight. Electerm’s maintainers responded responsibly by patching within a single version cycle, but this incident underscores the need for downstream consumers to audit installation scripts in tools they distribute.

Further Reading

• CISA Adds Actively Exploited Linux Root Bug CVE-2026-31
• Weekly Threat Roundup: Apache & cPanel Zero-Days (Apr 27 - May 3)
• GlassWorm Attack Uses Stolen GitHub Tokens to
• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs