electerm: electerm_install_script_CommandInjection Vulnerability Report
- Severity:
- High
Description
Command Injection vulnerabilities in electerm:
A command injection vulnerability exists in github.com/elcterm/electerm/npm/install.js:150. The runMac() function appends attacker-controlled remote releaseInfo.name directly into an exec("open ...") command without validation.
Recommendation
Update the electerm package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.3.8
- Patched version(s): 3.3.8
References
Related Issues
- Electerm Security Vulnerability: RCE via malicious SSH server filename in openFileWithEditor - CVE-2026-43943
- tarteaucitron.js has Regular Expression Denial of Service (ReDoS) vulnerability - CVE-2026-22809
- Electerm's full process.env exposed to renderer via window.pre.env - CVE-2026-43942
- Electerm has an unvalidated shell.openExternal that allows arbitrary protocol execution via terminal link click - CVE-2026-43941
You might also like:
- Tags:
- npm
- electerm
Anything's wrong? Let us know Last updated on May 11, 2026


