CVE-2026-41500

Name of the Vulnerable Software and Affected Versions electerm versions prior to 3.3.8

Description A command injection issue exists in the runMac() function within the file github.com/elcterm/electerm/npm/install.js:150. The function appends the remote releaseInfo.name variable, which can be controlled by an attacker, directly into an exec("open ...") command without proper validation. This affects users running npm install -g electerm on Mac OS. An attacker capable of controlling the remote release metadata served by the project's update server could execute arbitrary system commands, tamper with local files, and compromise development or runtime assets.

Recommendations Update to version 3.3.8.