This release includes 2 security fixes for security teams reviewing exposed deployments.
Topics
+12 more
Affected surfaces
ReleasePort's take
Moderate signalReplace shell commands with fs.promises for rm, cp, mv operations to reduce security risks.
Why it matters: Mitigates unsafe file operation vulnerabilities in file system utilities; adopt the change immediately.
Summary
AI summaryUpdates New features/UI/Updates, 新功能/界面/更新, and Bug fixes across a mixed release.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | High |
Replace shell commands with fs.promises for rm, cp, mv operations Replace shell commands with fs.promises for rm, cp, mv operations Source: llm_adapter@2026-05-27 Confidence: high |
— |
| Security | High |
Avoid unsafe file name risk in trzsz/rzsz file transfer Avoid unsafe file name risk in trzsz/rzsz file transfer Source: llm_adapter@2026-05-27 Confidence: high |
— |
| Feature | Medium |
Add line ending option to serial bookmark schema Add line ending option to serial bookmark schema Source: llm_adapter@2026-05-27 Confidence: high |
— |
| Feature | Medium |
Add bookmark keyword filter to restrict access and limit props in MCP widget Add bookmark keyword filter to restrict access and limit props in MCP widget Source: llm_adapter@2026-05-27 Confidence: high |
— |
| Feature | Medium |
Support parsing connection strings with trailing slashes Support parsing connection strings with trailing slashes Source: llm_adapter@2026-05-27 Confidence: high |
— |
| Feature | Medium |
Support password encryption for WebDAV Support password encryption for WebDAV Source: llm_adapter@2026-05-27 Confidence: high |
— |
| Feature | Medium |
Support loong64 legacy architecture Support loong64 legacy architecture Source: llm_adapter@2026-05-27 Confidence: high |
— |
| Feature | Medium |
Allow manual input of font family name in settings Allow manual input of font family name in settings Source: llm_adapter@2026-05-27 Confidence: high |
— |
| Bugfix | Medium |
Improve IME support Improve IME support Source: llm_adapter@2026-05-27 Confidence: high |
— |
| Bugfix | Medium |
Fix potential memory leak (issue #4342) Fix potential memory leak (issue #4342) Source: llm_adapter@2026-05-27 Confidence: high |
— |
Full changelog
New features/UI/Updates
- Add line ending option to serial bookmark schema
- MCP widget: add bookmark keyword filter to restrict bookmark access, limit bookmark props, no auth info exposed any more
- Add support for parsing connection strings with trailing slashes
- #4353 Support password encrypt for webdav
- Support loong64 legacy (#4349)
- Support manually input font family name in setting
Bug fixes
- Improve IME support
- #4342 Fix potential memory leak (#4352)
Security
- Replace shell commands with fs.promises methods for rm, cp, and mv operations
- Avoid potential risk of unsafe file name when do trzsz/rzsz file transfer
新功能/界面/更新
- 为串口书签架构添加行尾选项
- MCP 组件:添加书签关键词过滤以限制书签访问,限制书签属性,不再暴露认证信息
- 支持解析带尾部斜杠的连接字符串
- #4353 支持 WebDAV 密码加密
- 支持 loong64 legacy (#4349)
- 支持在设置中手动输入字体名称
问题修复
- 改进 IME 支持
- #4342 修复潜在内存泄漏 (#4352)
安全
- 将 shell 命令替换为 fs.promises 方法进行 rm、cp 和 mv 操作
- 避免 trzsz/rzsz 文件传输中不安全文件名的潜在风险
Download下载: https://electerm.html5beta.com
Security Fixes
- Replaced shell commands with fs.promises methods for rm, cp, and mv operations
- Avoided potential risk from unsafe file names during trzsz/rzsz transfers
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About electerm
Terminal/ssh/sftp/ftp/telnet/serialport/RDP/VNC/Spice client(linux, mac, win)
Related context
Related tools
Earlier breaking changes
- v3.11.0 Deprecates permissive CORS on MCP server; adds optional API key authentication.
Beta — feedback welcome: [email protected]