Electerm Critical Command Injection Flaw Patched (CVE-2026-41501)
The National Vulnerability Database (NVD) has detailed a critical command injection vulnerability, CVE-2026-41501, affecting prior versions of Electerm, an open-source terminal and remote connection client. The flaw resides in the install.js script, specifically within the runLinux() function. This function improperly handles attacker-controlled version strings, directly embedding them into an exec("rm -rf ...") command without validation. This oversight allows for arbitrary command execution on vulnerable systems.
The National Vulnerability Database assigns this vulnerability a CVSS score of 9.8 (CRITICAL), highlighting its severe potential impact. The vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H indicates a network-accessible attack with low complexity, no privileges or user interaction required, and a high impact across confidentiality, integrity, and availability. This makes it an easy target for unauthenticated remote attackers.
Electerm version 3.3.8 has addressed this vulnerability. Users are strongly advised to update immediately to this patched version. Defenders should prioritize identifying and updating any instances of Electerm running older versions to mitigate the risk of exploitation.
What This Means For You
- If your organization uses Electerm for terminal or remote access, verify that all instances are updated to version 3.3.8 or later immediately. Given the critical CVSS score and network-exploitable nature of CVE-2026-41501, unpatched systems are prime targets for remote code execution.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-41501 - Electerm Command Injection via npm install
title: CVE-2026-41501 - Electerm Command Injection via npm install
id: scw-2026-05-08-ai-1
status: experimental
level: critical
description: |
Detects the execution of the npm install command for Electerm where the command line includes 'rm -rf' and a version string, indicative of the command injection vulnerability CVE-2026-41501. This vulnerability allows attackers to inject arbitrary commands by controlling the version string during the installation process.
author: SCW Feed Engine (AI-generated)
date: 2026-05-08
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-41501/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: process_creation
detection:
selection:
Image|endswith:
- 'node.exe'
CommandLine|contains:
- 'npm install @electerm/electerm'
CommandLine|contains:
- 'rm -rf'
CommandLine|contains:
- 'version'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-41501 | Vulnerability | CVE-2026-41501 |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 08, 2026 at 07:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate
CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console...
CVE-2026-6666 — A possible null pointer reference in PgBouncer before
CVE-2026-6666 — A possible null pointer reference in PgBouncer before 1.25.2 could lead to a crash, if a server sends an error response without SQLSTATE...
PgBouncer SCRAM Vulnerability (CVE-2026-6665) Allows Stack Overflow
CVE-2026-6665 — The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM...