CVE-2026-41500: electerm macOS Command Injection via Install Script

Overview

A critical command injection vulnerability (CVE-2026-41500) has been disclosed in electerm, a popular open-source terminal, SSH, SFTP, RDP, VNC, and serial port client. The flaw resides in the macOS install script at npm/install.js:150, where the runMac() function concatenates an attacker-controlled releaseInfo.name value directly into a shell command string without sanitization.

With a CVSS score of 9.8 (Critical), successful exploitation allows an unauthenticated remote attacker to execute arbitrary operating system commands in the context of the user running the installer.

Affected Versions

Product	Affected Versions	Fixed Version
electerm (macOS)	All versions before 3.3.8	3.3.8

Technical Details

The vulnerability exists in npm/install.js at line 150. The runMac() function fetches release information from a remote source and constructs a shell command by directly interpolating releaseInfo.name:

// Vulnerable pattern (simplified)
const cmd = `chmod +x /tmp/${releaseInfo.name} && /tmp/${releaseInfo.name}`;
spawn(cmd, { shell: true });

Because releaseInfo.name is sourced from a remote endpoint without integrity validation, an attacker who can intercept or control the update server response (e.g., via a supply chain compromise, DNS hijacking, or man-in-the-middle attack) can inject arbitrary shell commands.

Exploitation Scenarios

Supply chain attack: Compromise of the electerm release server or CDN to serve a malicious releaseInfo.name
Man-in-the-middle: Interception of HTTP update checks on untrusted networks
DNS hijacking: Redirect update requests to an attacker-controlled server

The { shell: true } option passed to spawn() is what enables shell interpretation of the injected content, turning special characters and semicolons into command separators.

Impact

An attacker who successfully exploits this vulnerability can:

Execute arbitrary commands with the privileges of the user running electerm
Install persistent backdoors or credential stealers
Exfiltrate SSH keys, session tokens, and other secrets accessible via the terminal client
Pivot to internal systems reachable from the compromised host

Given that electerm is commonly used by developers and system administrators for SSH and RDP access, a compromised instance has elevated access to sensitive infrastructure.

Remediation

Update immediately to electerm version 3.3.8 or later.

Version 3.3.8 fixes the issue by validating the integrity of downloaded release artifacts and avoiding shell interpolation of remote data.

# Check installed version
electerm --version
 
# Update via npm
npm update -g electerm

If an immediate update is not possible:

Disable automatic update checks in electerm settings
Only download updates from the official GitHub releases page and verify checksums
Restrict network access for the application to trusted endpoints

References

Timeline

Date	Event
2026-05-08	CVE published to NVD
2026-05-08	electerm 3.3.8 released with fix

Overview

Affected Versions

Product	Affected Versions	Fixed Version
electerm (macOS)	All versions before 3.3.8	3.3.8

Technical Details

// Vulnerable pattern (simplified)
const cmd = `chmod +x /tmp/${releaseInfo.name} && /tmp/${releaseInfo.name}`;
spawn(cmd, { shell: true });

Exploitation Scenarios

Supply chain attack: Compromise of the electerm release server or CDN to serve a malicious releaseInfo.name
Man-in-the-middle: Interception of HTTP update checks on untrusted networks
DNS hijacking: Redirect update requests to an attacker-controlled server

The { shell: true } option passed to spawn() is what enables shell interpretation of the injected content, turning special characters and semicolons into command separators.

Impact

An attacker who successfully exploits this vulnerability can:

Execute arbitrary commands with the privileges of the user running electerm
Install persistent backdoors or credential stealers
Exfiltrate SSH keys, session tokens, and other secrets accessible via the terminal client
Pivot to internal systems reachable from the compromised host

Given that electerm is commonly used by developers and system administrators for SSH and RDP access, a compromised instance has elevated access to sensitive infrastructure.

Remediation

Update immediately to electerm version 3.3.8 or later.

Version 3.3.8 fixes the issue by validating the integrity of downloaded release artifacts and avoiding shell interpolation of remote data.

# Check installed version
electerm --version
 
# Update via npm
npm update -g electerm

If an immediate update is not possible:

Disable automatic update checks in electerm settings
Only download updates from the official GitHub releases page and verify checksums
Restrict network access for the application to trusted endpoints

References

Timeline

Date	Event
2026-05-08	CVE published to NVD
2026-05-08	electerm 3.3.8 released with fix

CVE-2026-41500: electerm macOS Command Injection via Install Script

Affected Products

Overview

Affected Versions

Technical Details

Exploitation Scenarios

Impact

Remediation

References

Timeline

CVE-2026-41501: electerm Linux Command Injection via Install Script

CVE-2026-30352: Remote Code Execution in leonvanzyl Autocoder via /devserver/start Command Injection (CVSS 9.8)

CVE-2026-6951: simple-git RCE via --config Option Bypass (CVSS 9.8)

CVE-2026-41500: electerm macOS Command Injection via Install Script

Affected Products

Overview

Affected Versions

Technical Details

Exploitation Scenarios

Impact

Remediation

References

Timeline

CVE-2026-41501: electerm Linux Command Injection via Install Script

CVE-2026-30352: Remote Code Execution in leonvanzyl Autocoder via /devserver/start Command Injection (CVSS 9.8)

CVE-2026-6951: simple-git RCE via --config Option Bypass (CVSS 9.8)