CVE-2026-26280
HIGH8.4EPSS 0.03%Systeminformation has a Command Injection via unsanitized interface parameter in wifi.js retry path
Description
### Summary A command injection vulnerability in the `wifiNetworks()` function allows an attacker to execute arbitrary OS commands via an unsanitized network interface parameter in the retry code path. ### Details In `lib/wifi.js`, the `wifiNetworks()` function sanitizes the `iface` parameter on the initial call (line 437). However, when the initial scan returns empty results, a `setTimeout` retry (lines 440-441) calls `getWifiNetworkListIw(iface)` with the **original unsanitized** `iface` value, which is passed directly to `execSync('iwlist ${iface} scan')`. ### PoC 1. Install `[email protected]` 2. Call `si.wifiNetworks('eth0; id')` 3. The first call sanitizes input, but if results are empty, the retry executes: `iwlist eth0; id scan` ### Impact Remote Code Execution (RCE). Any application passing user-controlled input to `si.wifiNetworks()` is vulnerable to arbitrary command execution with the privileges of the Node.js process.
Affected packages (2)
- Debian/node-systeminformationfrom 0
- npm/systeminformationfrom 0, < 5.30.8
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.4 | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-26280
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-26280
- PATCHhttps://github.com/sebhildebrandt/systeminformation
- WEBhttps://github.com/sebhildebrandt/systeminformation/commit/22242aa56188f2bffcbd7d265a11e1ebb808b460
- WEBhttps://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-9c88-49p5-5ggf