CVE-2026-41501

Name of the Vulnerable Software and Affected Versions electerm (affected versions not specified)

Description A command injection issue exists in the runLinux() function within github.com/elcterm/electerm/npm/install.js:130. The function appends remote version strings, which can be controlled by an attacker, directly into an exec("rm -rf ...") command without proper validation. An attacker capable of controlling the remote release metadata, such as the version string or release name served by the project's update server, could execute arbitrary system commands, tamper with local files, and compromise development or runtime assets. This affects users who run npm install -g electerm on Linux.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.