Node.js CVE-2026-26280
HIGH
GHSA-9c88-49p5-5ggf
Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Blast Radius
ecosystem impact- 26 npm packages depend on systeminformation (5 direct, 21 indirect)
Ecosystem-wide dependent count for version 5.30.8.
DescriptionGitHub Advisory
systeminformation is a System and OS information library for node.js. In versions prior to 5.30.8, a command injection vulnerability in the wifiNetworks() function allows an attacker to execute arbitrary OS commands via an unsanitized network interface parameter in the retry code path. In lib/wifi.js, the wifiNetworks() function sanitizes the iface parameter on the initial call (line 437). However, when the initial scan returns empty results, a setTimeout retry (lines 440-441) calls getWifiNetworkListIw(iface) with the original unsanitized iface value, which is passed directly to execSync('iwlist ${iface} scan'). Any application passing user-controlled input to si.wifiNetworks() is vulnerable to arbitrary command execution with the privileges of the Node.js process. Version 5.30.8 fixes the issue.
AnalysisAI
Arbitrary command execution in systeminformation versions before 5.30.8 allows local attackers to execute OS commands through an unsanitized network interface parameter in the wifiNetworks() function's retry logic. Applications passing user-controlled input to this function are vulnerable to privilege escalation attacks running with Node.js process permissions. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Local attacker must be able to call the wifiNetworks() function from a Node.js application using systeminformation library versions prior to 5.30.8. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 8.4 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A remote attacker could exploit this vulnerability to execute arbitrary OS commands via an unsanitized network interface parameter in. |
| Remediation | A vendor patch is available — apply it immediately. Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all internal applications and servers using systeminformation and document their versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Remote code execution in Vitest Browser Mode (npm @vitest/browser 3.0.0-3.2.4, 4.0.0-4.1.7, 5.0.0-beta.0-5.0.0-beta.3) a
Remote prototype pollution in i18next-http-middleware before 3.9.7 allows unauthenticated attackers to write to Object.p
Prototype pollution in ApostropheCMS versions up to and including 4.30.0 allows an authenticated editor to poison Object
Code injection in OpenZeppelin Contracts Wizard's `@openzeppelin/wizard` npm package (<=0.10.8) allows attacker-supplied
Stored cross-site scripting in the @apostrophecms/seo plugin (versions ≤1.4.2) allows any user holding the default edito
Vendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today