{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26280", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-12T17:10:53.414Z", "datePublished": "2026-02-19T19:43:05.868Z", "dateUpdated": "2026-02-19T21:21:38.406Z"}, "containers": {"cna": {"title": "Systeminformation has a Command Injection via unsanitized interface parameter in wifi.js retry path", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-9c88-49p5-5ggf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-9c88-49p5-5ggf"}, {"name": "https://github.com/sebhildebrandt/systeminformation/commit/22242aa56188f2bffcbd7d265a11e1ebb808b460", "tags": ["x_refsource_MISC"], "url": "https://github.com/sebhildebrandt/systeminformation/commit/22242aa56188f2bffcbd7d265a11e1ebb808b460"}], "affected": [{"vendor": "sebhildebrandt", "product": "systeminformation", "versions": [{"version": "< 5.30.8", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-19T19:43:05.868Z"}, "descriptions": [{"lang": "en", "value": "systeminformation is a System and OS information library for node.js. In versions prior to 5.30.8, a command injection vulnerability in the `wifiNetworks()` function allows an attacker to execute arbitrary OS commands via an unsanitized network interface parameter in the retry code path. In `lib/wifi.js`, the `wifiNetworks()` function sanitizes the `iface` parameter on the initial call (line 437). However, when the initial scan returns empty results, a `setTimeout` retry (lines 440-441) calls `getWifiNetworkListIw(iface)` with the **original unsanitized** `iface` value, which is passed directly to `execSync('iwlist ${iface} scan')`. Any application passing user-controlled input to `si.wifiNetworks()` is vulnerable to arbitrary command execution with the privileges of the Node.js process. Version 5.30.8 fixes the issue."}], "source": {"advisory": "GHSA-9c88-49p5-5ggf", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T20:57:36.955821Z", "id": "CVE-2026-26280", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T21:21:38.406Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26280", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-19T20:57:36.955821Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T20:57:38.295Z"}}], "cna": {"title": "Systeminformation has a Command Injection via unsanitized interface parameter in wifi.js retry path", "source": {"advisory": "GHSA-9c88-49p5-5ggf", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.4, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "sebhildebrandt", "product": "systeminformation", "versions": [{"status": "affected", "version": "< 5.30.8"}]}], "references": [{"url": "https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-9c88-49p5-5ggf", "name": "https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-9c88-49p5-5ggf", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/sebhildebrandt/systeminformation/commit/22242aa56188f2bffcbd7d265a11e1ebb808b460", "name": "https://github.com/sebhildebrandt/systeminformation/commit/22242aa56188f2bffcbd7d265a11e1ebb808b460", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "systeminformation is a System and OS information library for node.js. In versions prior to 5.30.8, a command injection vulnerability in the `wifiNetworks()` function allows an attacker to execute arbitrary OS commands via an unsanitized network interface parameter in the retry code path. In `lib/wifi.js`, the `wifiNetworks()` function sanitizes the `iface` parameter on the initial call (line 437). However, when the initial scan returns empty results, a `setTimeout` retry (lines 440-441) calls `getWifiNetworkListIw(iface)` with the **original unsanitized** `iface` value, which is passed directly to `execSync('iwlist ${iface} scan')`. Any application passing user-controlled input to `si.wifiNetworks()` is vulnerable to arbitrary command execution with the privileges of the Node.js process. Version 5.30.8 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-19T19:43:05.868Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26280", "state": "PUBLISHED", "dateUpdated": "2026-02-19T21:21:38.406Z", "dateReserved": "2026-02-12T17:10:53.414Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-19T19:43:05.868Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:systeminformation:systeminformation:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "7FB14590-E6DA-4F97-9445-43E061CAA080", "versionEndExcluding": "5.30.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "systeminformation is a System and OS information library for node.js. In versions prior to 5.30.8, a command injection vulnerability in the `wifiNetworks()` function allows an attacker to execute arbitrary OS commands via an unsanitized network interface parameter in the retry code path. In `lib/wifi.js`, the `wifiNetworks()` function sanitizes the `iface` parameter on the initial call (line 437). However, when the initial scan returns empty results, a `setTimeout` retry (lines 440-441) calls `getWifiNetworkListIw(iface)` with the **original unsanitized** `iface` value, which is passed directly to `execSync('iwlist ${iface} scan')`. Any application passing user-controlled input to `si.wifiNetworks()` is vulnerable to arbitrary command execution with the privileges of the Node.js process. Version 5.30.8 fixes the issue."}], "id": "CVE-2026-26280", "lastModified": "2026-02-20T20:10:59.037", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-19T20:25:43.880", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/sebhildebrandt/systeminformation/commit/22242aa56188f2bffcbd7d265a11e1ebb808b460"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-9c88-49p5-5ggf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "systeminformation: systeminformation: Arbitrary command execution via unsanitized network interface parameter", "id": "2441121", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2441121"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.4", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-78", "details": ["A flaw was found in systeminformation. An attacker can exploit a command injection vulnerability in the `wifiNetworks()` function by providing a specially crafted network interface parameter. This occurs because the parameter is not properly sanitized in a retry mechanism, allowing for the execution of arbitrary operating system commands with the privileges of the Node.js process. This could lead to a complete compromise of the affected system."], "name": "CVE-2026-26280", "package_state": [{"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Affected", "package_name": "rhdh/rhdh-hub-rhel9", "product_name": "Red Hat Developer Hub"}], "public_date": "2026-02-19T19:43:05Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-26280\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-26280\nhttps://github.com/sebhildebrandt/systeminformation/commit/22242aa56188f2bffcbd7d265a11e1ebb808b460\nhttps://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-9c88-49p5-5ggf"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.30.8)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "systeminformation", "source": "cna", "vendor": "sebhildebrandt"}, "product": "systeminformation", "vendor": "sebhildebrandt"}], "analysis": {"en": {"generated_at": "2026-04-17T17:55:38.810441+00:00", "value": {"mitigation_remediation": ["Upgrade the systeminformation library to version 5.30.8 or later to apply the official fix.", "If an upgrade is not yet possible, sanitize the iface parameter before passing it to si.wifiNetworks(), ensuring it contains only valid network interface names or otherwise restricting the value.", "Run the Node.js application with the least privileges necessary, limiting the damage that could be caused by a command\u2011execution attack."], "summary": {"action": "Patch Immediately", "impact": "Command Injection resulting in arbitrary OS command execution"}, "threat_synthesis": {"affected_systems": "The issue affects the systeminformation package maintained by sebhildebrandt. Any Node.js application that imports this library and invokes wifiNetworks() with user\u2011supplied arguments, using a version earlier than 5.30.8, is vulnerable. The library version 5.30.8 and later contain the fix.", "description_and_impact": "The vulnerability arises from insufficient sanitization of the network interface parameter in the wifiNetworks function of the systeminformation library. When a scan returns empty, the retry path reuses the original unsanitized iface value and passes it directly into the execSync call that runs \u2018iwlist {iface} scan\u2019. An attacker controlling the iface argument can inject arbitrary OS commands, leading to full compromise of the Node.js process and, potentially, the host.", "risk_and_exploitability": "The severity score of 8.4 classifies this as high. Current exploitation potential is low (EPSS <1%) and the vulnerability is not in the CISA KEV catalog, but the attack vector requires that the application execute wifiNetworks() with a controllable interface name. If the attacker can supply such input, they can gain system execution rights with the privileges of the Node.js process. Therefore, the risk is significant if an application processes untrusted input."}}}}, "created": "2026-02-20T09:54:09.792748+00:00", "updated": "2026-04-17T18:00:12.183967+00:00", "vendors": ["sebhildebrandt", "sebhildebrandt$PRODUCT$systeminformation"]}