What is the CVSS score of CVE-2026-26318?

CVE-2026-26318 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Node.js are affected by CVE-2026-26318?

A command injection vulnerability in the systeminformation library (CVE-2026-26318) affects Node.js applications using versions prior to 5.31.0, allowing attackers to execute arbitrary commands…. A patch is available.

Is there a public PoC exploit available for CVE-2026-26318?

Yes, a public proof-of-concept exploit is available for CVE-2026-26318. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2026-26318?

Within 24 hours: Identify all Node.js applications and dependencies using systeminformation versions prior to 5.31.0 through software inventory and dependency scanning. Within 7 days: Deploy patched version 5.31.0 or later across all development, staging, and production environments; prioritize production systems first. Within 30 days: Complete testing and validation of patched versions, update security scanning policies to flag unpatched systeminformation, and document the patch deployment in change management records.

Node.js CVE-2026-26318

HIGH

OS Command Injection (CWE-78)

2026-02-19 security-advisories@github.com

GHSA-5vv4-hvf7-2h46

Node.js Command Injection Systeminformation Red Hat Suse

8.8

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.8 HIGH

AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

SUSE

HIGH

qualitative

Red Hat

8.8 HIGH

qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:03 vuln.today

PoC Detected

Feb 20, 2026 - 19:51 vuln.today

Public exploit code

Patch released

Feb 20, 2026 - 19:51 nvd

Patch available

CVE Published

Feb 19, 2026 - 20:25 nvd

HIGH 8.8

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

22 npm packages depend on systeminformation (4 direct, 18 indirect)

Ecosystem-wide dependent count for version 5.31.0.

DescriptionGitHub Advisory

systeminformation is a System and OS information library for node.js. Versions prior to 5.31.0 are vulnerable to command injection via unsanitized locate output in versions(). Version 5.31.0 fixes the issue.

AnalysisAI

Command injection in systeminformation versions before 5.31.0 allows local attackers with user privileges to execute arbitrary system commands through unsanitized output parsing in the versions() function. Public exploit code exists for this vulnerability, which provides complete system compromise capabilities including information disclosure, modification, and denial of service. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Local access to Node.js application

Exploit

Call versions() function

Execution

Inject malicious command via locate output

Impact

Execute arbitrary code with application privileges

Access

Local access to Node.js application

Exploit

Call versions() function

Execution

Inject malicious command via locate output

Impact

Execute arbitrary code with application privileges

Vulnerability AssessmentAI

Exploitation	systeminformation library versions prior to 5.31.0 must be installed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 8.8 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker could exploit this vulnerability to compromise the affected system.
Remediation	A vendor patch is available — apply it immediately. Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Node.js applications and dependencies using systeminformation versions prior to 5.31.0 through software inventory and dependency scanning. …

Threat intelligence, references, and detailed analysis are available after sign-in.