Product
A command injection vulnerability, CVE-2026-49255, exists in electerm's file system operations (`rmrf`, `mv`, `cp`) due to improper sanitization of file paths containing shell metacharacters. An attacker can leverage this by presenting a malicious SSH/SFTP server with crafted filenames. When a victim performs file operations on these files, arbitrary commands can be executed on the victim's system as the electerm desktop user, potentially leading to data exfiltration, malware installation, or system compromise on both Windows and POSIX-based operating systems.