electerm: electerm_install_script_CommandInjection Vulnerability Report

Severity:: High

Description

Command Injection vulnerabilities in electerm:

A command injection vulnerability exists in github.com/elcterm/electerm/npm/install.js:150. The runMac() function appends attacker-controlled remote releaseInfo.name directly into an exec("open ...") command without validation.

Recommendation

Update the electerm package to the latest compatible version. Followings are version details:

Affected version(s): < 3.3.8
Patched version(s): 3.3.8

References

GHSA-wxw2-rwmh-vr8f
CVE-2026-41500
CWE-77
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Electerm Security Vulnerability: RCE via malicious SSH server filename in openFileWithEditor - CVE-2026-43943
html2pdf.js contains a cross-site scripting vulnerability - CVE-2026-22787
jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch - CVE-2026-24001
survey-pdf Upgraded jsPDF Version Due to Security Vulnerability - CVE-2026-25630

How do hackers hack websites?

CSRF, XXE, and 12 Other Security Acronyms Explained

Exploiting Server Version Disclosure

Tags:: npm; electerm

Anything's wrong? Let us know Last updated on May 11, 2026