Systeminformation has a Command Injection via unsanitized interface parameter in wifi.js retry path

Severity:: High

Description

A command injection vulnerability in the wifiNetworks() function allows an attacker to execute arbitrary OS commands via an unsanitized network interface parameter in the retry code path.

Recommendation

Update the systeminformation package to the latest compatible version. Followings are version details:

Affected version(s): < 5.30.8
Patched version(s): 5.30.8

References

GHSA-9c88-49p5-5ggf
CVE-2026-26280
CWE-78
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

i18next-locize-backend has URL Injection via Unsanitized Path Parameters - CVE-2026-41885
Systeminformation vulnerable to Linux command injection in networkInterfaces() via unsanitized NetworkManager connection - CVE-2026-44724
Command Injection via Unsanitized `locate` Output in `versions()` — systeminformation - CVE-2026-26318
jsPDF has a PDF Object Injection via Unsanitized Input in addJS Method - CVE-2026-25755

How do hackers hack websites?

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; systeminformation

Anything's wrong? Let us know Last updated on February 19, 2026