electerm CVE-2026-41500: Critical Command Injection in Terminal Client
The National Vulnerability Database has detailed CVE-2026-41500, a critical command injection vulnerability in electerm, an open-source terminal client. Prior to version 3.3.8, the runMac() function in github.com/elcterm/electerm/npm/install.js:150 failed to validate attacker-controlled releaseInfo.name data before directly appending it to an exec("open ...") command. This allows for arbitrary command execution.
Rated with a CVSS v3.1 score of 9.8 (Critical), this vulnerability (CWE-77) presents a severe risk. An attacker can leverage this without authentication, making it an immediately exploitable vector for remote code execution. The impact is complete compromise of confidentiality, integrity, and availability on affected systems.
Defenders must prioritize patching electerm installations to version 3.3.8 or later. The attacker’s calculus here is straightforward: exploit an unauthenticated RCE in a widely used client to gain initial access, then pivot. This is exactly the kind of critical flaw that leads to rapid exploitation in the wild.
What This Means For You
- If your organization uses electerm, you need to immediately verify all installations are updated to version 3.3.8 or later. This is a critical, unauthenticated command injection that provides a clear path to system compromise. Audit your endpoints for unpatched electerm clients and ensure your patch management processes are robust enough to catch critical updates for developer tools.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-41500: Electerm Command Injection via runMac()
title: CVE-2026-41500: Electerm Command Injection via runMac()
id: scw-2026-05-08-ai-1
status: experimental
level: critical
description: |
Detects the execution of the electerm installer script on Windows, specifically targeting the runMac() function's vulnerable call to 'open -a electerm' with potentially injected arguments. This rule aims to catch the command injection vulnerability CVE-2026-41500 where attacker-controlled input is directly appended to an 'open' command.
author: SCW Feed Engine (AI-generated)
date: 2026-05-08
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-41500/
tags:
- attack.execution
- attack.t1059.004
logsource:
category: process_creation
detection:
selection:
Image|startswith:
- 'C:\Users\*\AppData\Local\electerm\electerm\resources\app
ode_modules\electerm-installer\install.js'
CommandLine|contains:
- 'open -a electerm'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-41500 | Command Injection | electerm < 3.3.8 |
| CVE-2026-41500 | Command Injection | github.com/elcterm/electerm/npm/install.js:150 |
| CVE-2026-41500 | Command Injection | runMac() function |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 08, 2026 at 07:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate
CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console...
CVE-2026-6666 — A possible null pointer reference in PgBouncer before
CVE-2026-6666 — A possible null pointer reference in PgBouncer before 1.25.2 could lead to a crash, if a server sends an error response without SQLSTATE...
PgBouncer SCRAM Vulnerability (CVE-2026-6665) Allows Stack Overflow
CVE-2026-6665 — The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM...