Systeminformation has a Command Injection via unsanitized interface parameter in wifi.js retry path
- Severity:
- High
Description
A command injection vulnerability in the wifiNetworks() function allows an attacker to execute arbitrary OS commands via an unsanitized network interface parameter in the retry code path.
Recommendation
Update the systeminformation package to the latest compatible version. Followings are version details:
- Affected version(s): < 5.30.8
- Patched version(s): 5.30.8
References
Related Issues
- Command Injection via Unsanitized `locate` Output in `versions()` — systeminformation - CVE-2026-26318
- Kysely has a MySQL SQL Injection via Backslash Escape Bypass in non-type-safe usage of JSON path keys. - CVE-2026-33442
- jsPDF has a PDF Object Injection via Unsanitized Input in addJS Method - CVE-2026-25755
- Feathers has a NoSQL Injection via WebSocket id Parameter in MongoDB Adapter - CVE-2026-29793
- Tags:
- npm
- systeminformation
Anything's wrong? Let us know Last updated on February 19, 2026