CVE-2026-41500: electerm: electerm_install_script_CommandInjection Vulnerability Report

April 16, 2026 (updated April 27, 2026)

What kind of vulnerability is it? Who is impacted?

Command Injection vulnerabilities in electerm:

A command injection vulnerability exists in github.com/elcterm/electerm/npm/install.js:150. The runMac() function appends attacker-controlled remote releaseInfo.name directly into an exec("open ...") command without validation.

Who is impacted: Users who run npm install -g electerm in Mac OS. An attacker who can control the remote release metadata (version string or release name) served by the project’s update server could execute arbitrary system commands, tamper local files, and escalate compromise of development/runtime assets.

References

Code Behaviors & Features

Detect and mitigate CVE-2026-41500 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →