CVE-2026-26280

Описание

systeminformation is a System and OS information library for node.js. In versions prior to 5.30.8, a command injection vulnerability in the wifiNetworks() function allows an attacker to execute arbitrary OS commands via an unsanitized network interface parameter in the retry code path. In lib/wifi.js, the wifiNetworks() function sanitizes the iface parameter on the initial call (line 437). However, when the initial scan returns empty results, a setTimeout retry (lines 440-441) calls getWifiNetworkListIw(iface) with the original unsanitized iface value, which is passed directly to execSync('iwlist ${iface} scan'). Any application passing user-controlled input to si.wifiNetworks() is vulnerable to arbitrary command execution with the privileges of the Node.js process. Version 5.30.8 fixes the issue.

A flaw was found in systeminformation. An attacker can exploit a command injection vulnerability in the wifiNetworks() function by providing a specially crafted network interface parameter. This occurs because the parameter is not properly sanitized in a retry mechanism, allowing for the execution of arbitrary operating system commands with the privileges of the Node.js process. This could lead to a complete compromise of the affected system.