Description
Command Injection vulnerabilities in electerm:
A command injection vulnerability exists in github.com/elcterm/electerm/npm/install.js:130. The runLinux() function appends attacker-controlled remote version strings directly into an exec("rm -rf ...") command without validation.
Recommendation
Update the electerm package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.3.8
- Patched version(s): 3.3.8
References
Related Issues
- Systeminformation has a Command Injection via unsanitized interface parameter in wifi.js retry path - CVE-2026-26280
- Kysely has a MySQL SQL Injection via Insufficient Backslash Escaping in `sql.lit(string)` usage or similar methods that - CVE-2026-33468
- automagik-genie has a command injection vulnerability - CVE-2026-30635
- @nocobase/database has SQL Injection via String Concatenation through Recursive Eager Loading - CVE-2026-41640
You might also like:
- Tags:
- npm
- electerm
Anything's wrong? Let us know Last updated on May 12, 2026