CVE-2026-26280
systeminformation is a System and OS information library for node.js. In versions prior to 5.30.8, a command injection vulnerability in the `wifiNetworks()` function allows an attacker to execute arbitrary OS commands via an unsanitized network interface parameter in the retry code path. In `lib/wifi.js`, the `wifiNetworks()` function sanitizes the `iface` parameter on the initial call (line 437). However, when the initial scan returns empty results, a `setTimeout` retry (lines 440-441) calls `getWifiNetworkListIw(iface)` with the **original unsanitized** `iface` value, which is passed directly to `execSync('iwlist ${iface} scan')`. Any application passing user-controlled input to `si.wifiNetworks()` is vulnerable to arbitrary command execution with the privileges of the Node.js process. Version 5.30.8 fixes the issue.
EPSS 0.03% · 9.1th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| npm | systeminformation | 0, 0 |
| sebhildebrandt | systeminformation | < 5.30.8, * |
| systeminformation | systeminformation | 0, 0 |
Timeline
- Feb 18, 2026 CVE Published
- Feb 19, 2026 CVE Updated
- Feb 19, 2026 PoC Published
- Feb 19, 2026 PoC Published
- Feb 20, 2026 EPSS Score
- Feb 21, 2026 PoC Published
- Feb 22, 2026 EPSS Score
- Feb 23, 2026 EPSS Score
- Feb 25, 2026 EPSS Score
- Feb 27, 2026 EPSS Score
- Feb 28, 2026 EPSS Score
- Mar 2, 2026 EPSS Score
References
- https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-9c88-49p5-5ggf url
- https://github.com/sebhildebrandt/systeminformation/commit/22242aa56188f2bffcbd7d265a11e1ebb808b460 url
- https://nvd.nist.gov/vuln/detail/CVE-2026-26280 advisory
- https://github.com/sebhildebrandt/systeminformation package