Moderate severityNVD Advisory· Published Sep 9, 2021· Updated Aug 4, 2024
Command injection in systeminformation
CVE-2020-26300
Description
systeminformation is an npm package that provides system and OS information library for node.js. In systeminformation before version 4.26.2 there is a command injection vulnerability. Problem was fixed in version 4.26.2 with a shell string sanitation fix.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
systeminformationnpm | < 4.26.2 | 4.26.2 |
Affected products
1- Range: < 4.26.2
Patches
1bad372e654cdimproved shell sanitation
1 file changed · +3 −0
lib/util.js+3 −0 modified@@ -503,6 +503,9 @@ function sanitizeShellString(str) { result = result.replace(/\$/g, ""); result = result.replace(/#/g, ""); result = result.replace(/\\/g, ""); + result = result.replace(/\t/g, ""); + result = result.replace(/\n/g, ""); + result = result.replace(/\"/g, ""); return result }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-fj59-f6c3-3vw4ghsax_refsource_CONFIRMADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-26300ghsaADVISORY
- github.com/sebhildebrandt/systeminformation/commit/bad372e654cdd549e7d786acbba0035ded54c607ghsax_refsource_MISCWEB
- github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-fj59-f6c3-3vw4ghsax_refsource_MISCWEB
- www.npmjs.com/package/systeminformationghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.