CVE-2026-41501: electerm has Command Injection via runLinux funtion

April 24, 2026 (updated May 8, 2026)

What kind of vulnerability is it? Who is impacted?

Command Injection vulnerabilities in electerm:

A command injection vulnerability exists in github.com/elcterm/electerm/npm/install.js:130. The runLinux() function appends attacker-controlled remote version strings directly into an exec("rm -rf ...") command without validation.

Who is impacted: Users who run npm install -g electerm in Linux. An attacker who can control the remote release metadata (version string or release name) served by the project’s update server could execute arbitrary system commands, tamper local files, and escalate compromise of development/runtime assets.

References

Code Behaviors & Features

Detect and mitigate CVE-2026-41501 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →