Description
systeminformation is a System and OS information library for node.js. In versions prior to 5.30.8, a command injection vulnerability in the `wifiNetworks()` function allows an attacker to execute arbitrary OS commands via an unsanitized network interface parameter in the retry code path. In `lib/wifi.js`, the `wifiNetworks()` function sanitizes the `iface` parameter on the initial call (line 437). However, when the initial scan returns empty results, a `setTimeout` retry (lines 440-441) calls `getWifiNetworkListIw(iface)` with the **original unsanitized** `iface` value, which is passed directly to `execSync('iwlist ${iface} scan')`. Any application passing user-controlled input to `si.wifiNetworks()` is vulnerable to arbitrary command execution with the privileges of the Node.js process. Version 5.30.8 fixes the issue.
Published: 2026-02-19
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Command Injection resulting in arbitrary OS command execution
Action: Patch Immediately
AI Analysis

Impact

The vulnerability arises from insufficient sanitization of the network interface parameter in the wifiNetworks function of the systeminformation library. When a scan returns empty, the retry path reuses the original unsanitized iface value and passes it directly into the execSync call that runs ‘iwlist {iface} scan’. An attacker controlling the iface argument can inject arbitrary OS commands, leading to full compromise of the Node.js process and, potentially, the host.

Affected Systems

The issue affects the systeminformation package maintained by sebhildebrandt. Any Node.js application that imports this library and invokes wifiNetworks() with user‑supplied arguments, using a version earlier than 5.30.8, is vulnerable. The library version 5.30.8 and later contain the fix.

Risk and Exploitability

The severity score of 8.4 classifies this as high. Current exploitation potential is low (EPSS <1%) and the vulnerability is not in the CISA KEV catalog, but the attack vector requires that the application execute wifiNetworks() with a controllable interface name. If the attacker can supply such input, they can gain system execution rights with the privileges of the Node.js process. Therefore, the risk is significant if an application processes untrusted input.

Generated by OpenCVE AI on April 17, 2026 at 17:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the systeminformation library to version 5.30.8 or later to apply the official fix.
  • If an upgrade is not yet possible, sanitize the iface parameter before passing it to si.wifiNetworks(), ensuring it contains only valid network interface names or otherwise restricting the value.
  • Run the Node.js application with the least privileges necessary, limiting the damage that could be caused by a command‑execution attack.

Generated by OpenCVE AI on April 17, 2026 at 17:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9c88-49p5-5ggf Systeminformation has a Command Injection via unsanitized interface parameter in wifi.js retry path
History

Sat, 21 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 20 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Systeminformation
Systeminformation systeminformation
CPEs cpe:2.3:a:systeminformation:systeminformation:*:*:*:*:*:node.js:*:*
Vendors & Products Systeminformation
Systeminformation systeminformation

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Sebhildebrandt
Sebhildebrandt systeminformation
Vendors & Products Sebhildebrandt
Sebhildebrandt systeminformation

Fri, 20 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Description systeminformation is a System and OS information library for node.js. In versions prior to 5.30.8, a command injection vulnerability in the `wifiNetworks()` function allows an attacker to execute arbitrary OS commands via an unsanitized network interface parameter in the retry code path. In `lib/wifi.js`, the `wifiNetworks()` function sanitizes the `iface` parameter on the initial call (line 437). However, when the initial scan returns empty results, a `setTimeout` retry (lines 440-441) calls `getWifiNetworkListIw(iface)` with the **original unsanitized** `iface` value, which is passed directly to `execSync('iwlist ${iface} scan')`. Any application passing user-controlled input to `si.wifiNetworks()` is vulnerable to arbitrary command execution with the privileges of the Node.js process. Version 5.30.8 fixes the issue.
Title Systeminformation has a Command Injection via unsanitized interface parameter in wifi.js retry path
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Sebhildebrandt Systeminformation
Systeminformation Systeminformation
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-19T21:21:38.406Z

Reserved: 2026-02-12T17:10:53.414Z

Link: CVE-2026-26280

cve-icon Vulnrichment

Updated: 2026-02-19T20:57:38.295Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-19T20:25:43.880

Modified: 2026-02-20T20:10:59.037

Link: CVE-2026-26280

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-19T19:43:05Z

Links: CVE-2026-26280 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T18:00:12Z

Weaknesses