Is Node.js affected by CVE-2026-26318?

A command injection vulnerability in the systeminformation library (CVE-2026-26318) affects Node.js applications using versions prior to 5.31.0, allowing attackers to execute arbitrary commands through unsanitized input.

CVE-2026-26318

HIGH

2026-02-19 [email protected]

GHSA-5vv4-hvf7-2h46

8.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:03 vuln.today

PoC Detected

Feb 20, 2026 - 19:51 vuln.today

Public exploit code

Patch Released

Feb 20, 2026 - 19:51 nvd

Patch available

CVE Published

Feb 19, 2026 - 20:25 nvd

HIGH 8.8

Description

systeminformation is a System and OS information library for node.js. Versions prior to 5.31.0 are vulnerable to command injection via unsanitized `locate` output in `versions()`. Version 5.31.0 fixes the issue.

Analysis

Command injection in systeminformation versions before 5.31.0 allows local attackers with user privileges to execute arbitrary system commands through unsanitized output parsing in the versions() function. Public exploit code exists for this vulnerability, which provides complete system compromise capabilities including information disclosure, modification, and denial of service. …

Remediation

Within 24 hours: Identify all Node.js applications and dependencies using systeminformation versions prior to 5.31.0 through software inventory and dependency scanning. Within 7 days: Deploy patched version 5.31.0 or later across all development, staging, and production environments; prioritize production systems first. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +44

POC: +20

Vendor Status

CVE-2026-26318 vulnerability details – vuln.today

Back

CVE-2026-26318

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Vendor Status

Share

CVE-2026-26318

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Vendor Status

Share

External POC / Exploit Code