Command Injection via Unsanitized `locate` Output in `versions()` — systeminformation

Severity:: High

Description

Package: systeminformation (npm)
Tested Version: 5.30.7
Affected Platform: Linux
Author: Sebastian Hildebrandt
Weekly Downloads: ~5,000,000+
Repository: https://github.com/sebhildebrandt/systeminformation
Severity: Medium
CWE: CWE-78 (OS Command Injection)

Recommendation

Update the systeminformation package to the latest compatible version. Followings are version details:

Affected version(s): <= 5.30.7
Patched version(s): 5.31.0

References

GHSA-5vv4-hvf7-2h46
CVE-2026-26318
CWE-78
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Systeminformation vulnerable to Linux command injection in networkInterfaces() via unsanitized NetworkManager connection - CVE-2026-44724
Systeminformation has a Command Injection via unsanitized interface parameter in wifi.js retry path - CVE-2026-26280
@apostrophecms/cli: Command Injection in apos create via Unsanitized Password Input - CVE-2026-42853
Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream - CVE-2026-42037

How do hackers hack websites?

10 Secure Coding Best Practices to Follow in Every Project

Update Cheat Sheet for Developers

Tags:: npm; systeminformation

Anything's wrong? Let us know Last updated on February 19, 2026