CVE-2026-26318

Summary

systeminformation is a System and OS information library for node.js. Versions prior to 5.31.0 are vulnerable to command injection via unsanitized locate output in versions(). Version 5.31.0 fixes the issue.

Affected Software

VendorProductVersion RangeStatus
sebhildebrandtsysteminformation< 5.31.0affected

Weaknesses

  • CWE-78: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

systeminformation: systeminformation: Arbitrary code execution via unsanitized locate output

Additional References

References