{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26318", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-13T16:27:51.807Z", "datePublished": "2026-02-19T19:48:55.816Z", "dateUpdated": "2026-02-19T21:21:25.502Z"}, "containers": {"cna": {"title": "systeminformation has Command Injection via Unsanitized `locate` Output in `versions()`", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-5vv4-hvf7-2h46", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-5vv4-hvf7-2h46"}, {"name": "https://github.com/sebhildebrandt/systeminformation/commit/b67d3715eec881038ccbaace2f2711419ac3e107", "tags": ["x_refsource_MISC"], "url": "https://github.com/sebhildebrandt/systeminformation/commit/b67d3715eec881038ccbaace2f2711419ac3e107"}], "affected": [{"vendor": "sebhildebrandt", "product": "systeminformation", "versions": [{"version": "< 5.31.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-19T19:48:55.816Z"}, "descriptions": [{"lang": "en", "value": "systeminformation is a System and OS information library for node.js. Versions prior to 5.31.0 are vulnerable to command injection via unsanitized `locate` output in `versions()`. Version 5.31.0 fixes the issue."}], "source": {"advisory": "GHSA-5vv4-hvf7-2h46", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T20:57:34.116139Z", "id": "CVE-2026-26318", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T21:21:25.502Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26318", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-19T20:57:34.116139Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T20:57:35.530Z"}}], "cna": {"title": "systeminformation has Command Injection via Unsanitized `locate` Output in `versions()`", "source": {"advisory": "GHSA-5vv4-hvf7-2h46", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "sebhildebrandt", "product": "systeminformation", "versions": [{"status": "affected", "version": "< 5.31.0"}]}], "references": [{"url": "https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-5vv4-hvf7-2h46", "name": "https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-5vv4-hvf7-2h46", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/sebhildebrandt/systeminformation/commit/b67d3715eec881038ccbaace2f2711419ac3e107", "name": "https://github.com/sebhildebrandt/systeminformation/commit/b67d3715eec881038ccbaace2f2711419ac3e107", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "systeminformation is a System and OS information library for node.js. Versions prior to 5.31.0 are vulnerable to command injection via unsanitized `locate` output in `versions()`. Version 5.31.0 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-19T19:48:55.816Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26318", "state": "PUBLISHED", "dateUpdated": "2026-02-19T21:21:25.502Z", "dateReserved": "2026-02-13T16:27:51.807Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-19T19:48:55.816Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:systeminformation:systeminformation:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "809E119A-47CB-4DDB-BB2B-A587E4D50E15", "versionEndExcluding": "5.31.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "systeminformation is a System and OS information library for node.js. Versions prior to 5.31.0 are vulnerable to command injection via unsanitized `locate` output in `versions()`. Version 5.31.0 fixes the issue."}], "id": "CVE-2026-26318", "lastModified": "2026-02-20T19:51:20.580", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.0, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-19T20:25:44.063", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/sebhildebrandt/systeminformation/commit/b67d3715eec881038ccbaace2f2711419ac3e107"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-5vv4-hvf7-2h46"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "systeminformation: systeminformation: Arbitrary code execution via unsanitized `locate` output", "id": "2441124", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2441124"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-78", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-26318", "package_state": [{"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Affected", "package_name": "rhdh/rhdh-hub-rhel9", "product_name": "Red Hat Developer Hub"}], "public_date": "2026-02-19T19:48:55Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-26318\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-26318\nhttps://github.com/sebhildebrandt/systeminformation/commit/b67d3715eec881038ccbaace2f2711419ac3e107\nhttps://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-5vv4-hvf7-2h46"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.31.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "systeminformation", "source": "cna", "vendor": "sebhildebrandt"}, "product": "systeminformation", "vendor": "sebhildebrandt"}], "analysis": {"en": {"generated_at": "2026-04-18T11:44:15.558154+00:00", "value": {"mitigation_remediation": ["Upgrade the systeminformation package to version 5.31.0 or later.", "Remove or rewrite any code paths that invoke locate or systeminformation in contexts that may receive untrusted input, ensuring the command arguments are fully controlled and sanitized.", "Run the Node.js application with the least privileged user and enforce process isolation so that even if locate output is tampered, the attacker cannot gain elevated privileges."], "summary": {"action": "Apply Patch", "impact": "Command Injection"}, "threat_synthesis": {"affected_systems": "All installations of the systeminformation package with a version older than 5.31.0, which is the version that contains the fix. The vulnerability applies to any Node.js application that imports and calls systeminformation. Versions protected by the update are not vulnerable.", "description_and_impact": "The vulnerable library, systeminformation for Node.js, unsanitizes the output of the OS locate command in its versions() function. This omission allows an attacker who can influence the output of locate or its environment to inject and execute arbitrary shell commands. The consequence is a full compromise of confidentiality, integrity, and availability on the affected system, allowing attackers to run any code with the privileges of the Node.js process.", "risk_and_exploitability": "The CVSS score of 8.8 indicates a high severity level, while the EPSS score of less than 1% shows a low current probability of exploitation. The vulnerability is not currently listed in the CISA KEV catalog. Attackers would need to be able to execute code in the context of the Node.js application or influence the locate command's output; it is inferred that exploitation is feasible in environments where the application runs with elevated privileges or where input to locate can be controlled."}}}}, "created": "2026-02-20T09:54:08.850188+00:00", "updated": "2026-04-18T11:45:44.601193+00:00", "vendors": ["sebhildebrandt", "sebhildebrandt$PRODUCT$systeminformation"]}