Description
Command Injection vulnerabilities in electerm:
A command injection vulnerability exists in github.com/elcterm/electerm/npm/install.js:130. The runLinux() function appends attacker-controlled remote version strings directly into an exec("rm -rf ...") command without validation.
Recommendation
Update the electerm package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.3.8
- Patched version(s): 3.3.8
References
Related Issues
- Systeminformation has a Command Injection via unsanitized interface parameter in wifi.js retry path - CVE-2026-26280
- Parse Server has a SQL injection via query field name when using PostgreSQL - CVE-2026-32234
- i18next-locize-backend has URL Injection via Unsanitized Path Parameters - CVE-2026-41885
- fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names - CVE-2026-25896
You might also like:
- Tags:
- npm
- electerm
Anything's wrong? Let us know Last updated on May 12, 2026


