Description
systeminformation is a System and OS information library for node.js. Versions prior to 5.31.0 are vulnerable to command injection via unsanitized `locate` output in `versions()`. Version 5.31.0 fixes the issue.
Published: 2026-02-19
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Command Injection
Action: Apply Patch
AI Analysis

Impact

The vulnerable library, systeminformation for Node.js, unsanitizes the output of the OS locate command in its versions() function. This omission allows an attacker who can influence the output of locate or its environment to inject and execute arbitrary shell commands. The consequence is a full compromise of confidentiality, integrity, and availability on the affected system, allowing attackers to run any code with the privileges of the Node.js process.

Affected Systems

All installations of the systeminformation package with a version older than 5.31.0, which is the version that contains the fix. The vulnerability applies to any Node.js application that imports and calls systeminformation. Versions protected by the update are not vulnerable.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity level, while the EPSS score of less than 1% shows a low current probability of exploitation. The vulnerability is not currently listed in the CISA KEV catalog. Attackers would need to be able to execute code in the context of the Node.js application or influence the locate command's output; it is inferred that exploitation is feasible in environments where the application runs with elevated privileges or where input to locate can be controlled.

Generated by OpenCVE AI on April 18, 2026 at 11:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the systeminformation package to version 5.31.0 or later.
  • Remove or rewrite any code paths that invoke locate or systeminformation in contexts that may receive untrusted input, ensuring the command arguments are fully controlled and sanitized.
  • Run the Node.js application with the least privileged user and enforce process isolation so that even if locate output is tampered, the attacker cannot gain elevated privileges.

Generated by OpenCVE AI on April 18, 2026 at 11:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5vv4-hvf7-2h46 Command Injection via Unsanitized `locate` Output in `versions()` — systeminformation
History

Sat, 21 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 20 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Systeminformation
Systeminformation systeminformation
CPEs cpe:2.3:a:systeminformation:systeminformation:*:*:*:*:*:node.js:*:*
Vendors & Products Systeminformation
Systeminformation systeminformation

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Sebhildebrandt
Sebhildebrandt systeminformation
Vendors & Products Sebhildebrandt
Sebhildebrandt systeminformation

Fri, 20 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Description systeminformation is a System and OS information library for node.js. Versions prior to 5.31.0 are vulnerable to command injection via unsanitized `locate` output in `versions()`. Version 5.31.0 fixes the issue.
Title systeminformation has Command Injection via Unsanitized `locate` Output in `versions()`
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Sebhildebrandt Systeminformation
Systeminformation Systeminformation
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-19T21:21:25.502Z

Reserved: 2026-02-13T16:27:51.807Z

Link: CVE-2026-26318

cve-icon Vulnrichment

Updated: 2026-02-19T20:57:35.530Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-19T20:25:44.063

Modified: 2026-02-20T19:51:20.580

Link: CVE-2026-26318

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-19T19:48:55Z

Links: CVE-2026-26318 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T11:45:44Z

Weaknesses