CVE-2026-26280
HIGH
GHSA-9c88-49p5-5ggf
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Description
systeminformation is a System and OS information library for node.js. In versions prior to 5.30.8, a command injection vulnerability in the `wifiNetworks()` function allows an attacker to execute arbitrary OS commands via an unsanitized network interface parameter in the retry code path. In `lib/wifi.js`, the `wifiNetworks()` function sanitizes the `iface` parameter on the initial call (line 437). However, when the initial scan returns empty results, a `setTimeout` retry (lines 440-441) calls `getWifiNetworkListIw(iface)` with the **original unsanitized** `iface` value, which is passed directly to `execSync('iwlist ${iface} scan')`. Any application passing user-controlled input to `si.wifiNetworks()` is vulnerable to arbitrary command execution with the privileges of the Node.js process. Version 5.30.8 fixes the issue.
Analysis
Arbitrary command execution in systeminformation versions before 5.30.8 allows local attackers to execute OS commands through an unsanitized network interface parameter in the wifiNetworks() function's retry logic. Applications passing user-controlled input to this function are vulnerable to privilege escalation attacks running with Node.js process permissions. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all internal applications and servers using systeminformation and document their versions. Within 7 days: Upgrade systeminformation to version 5.30.8 or later across all affected systems; prioritize internet-facing and production environments first. …
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today