Command Injection via Unsanitized `locate` Output in `versions()` — systeminformation

Severity:: High

Description

Package: systeminformation (npm)
Tested Version: 5.30.7
Affected Platform: Linux
Author: Sebastian Hildebrandt
Weekly Downloads: ~5,000,000+
Repository: https://github.com/sebhildebrandt/systeminformation
Severity: Medium
CWE: CWE-78 (OS Command Injection)

Recommendation

Update the systeminformation package to the latest compatible version. Followings are version details:

Affected version(s): <= 5.30.7
Patched version(s): 5.31.0

References

GHSA-5vv4-hvf7-2h46
CVE-2026-26318
CWE-78
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Systeminformation has a Command Injection via unsanitized interface parameter in wifi.js retry path - CVE-2026-26280
Parse Server vulnerable to LDAP injection via unsanitized user input in DN and group filter construction - CVE-2026-31828
jsPDF has a PDF Object Injection via Unsanitized Input in addJS Method - CVE-2026-25755
SQL Injection via unsanitized JSON path keys when ignoring/silencing compilation errors or using `Kysely<any>`. - CVE-2026-32763

Tags:: npm; systeminformation

Anything's wrong? Let us know Last updated on February 19, 2026