High severityNVD Advisory· Published Feb 19, 2026· Updated Feb 19, 2026
Systeminformation has a Command Injection via unsanitized interface parameter in wifi.js retry path
CVE-2026-26280
Description
systeminformation is a System and OS information library for node.js. In versions prior to 5.30.8, a command injection vulnerability in the wifiNetworks() function allows an attacker to execute arbitrary OS commands via an unsanitized network interface parameter in the retry code path. In lib/wifi.js, the wifiNetworks() function sanitizes the iface parameter on the initial call (line 437). However, when the initial scan returns empty results, a setTimeout retry (lines 440-441) calls getWifiNetworkListIw(iface) with the original unsanitized iface value, which is passed directly to execSync('iwlist ${iface} scan'). Any application passing user-controlled input to si.wifiNetworks() is vulnerable to arbitrary command execution with the privileges of the Node.js process. Version 5.30.8 fixes the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
systeminformationnpm | < 5.30.8 | 5.30.8 |
Affected products
1- Range: < 5.30.8
Patches
122242aa56188wifiNetworks() fixed CWE-78 command injection issue (linux)
6 files changed · +28 −7
CHANGELOG.md+1 −0 modified@@ -90,6 +90,7 @@ For major (breaking) changes - **version 4, 3 and 2** - see end of page. | Version | Date | Comment | | ------- | ---------- | --------------------------------------------------------------------------------------------------- | +| 5.30.8 | 2026-02-14 | `wifiNetworks()` fixed CWE-78 command injection issue (linux) | | 5.30.7 | 2026-01-31 | `networkInterfaces()` fixed getWindowsIEEE8021x issue (windows) | | 5.30.6 | 2026-01-22 | `graphics()` improved nvidia-smi detection (windows) | | 5.30.5 | 2026-01-16 | `networkInterfaces()` fix uppercase iface names (linux) |
docs/history.html+6 −0 modified@@ -57,6 +57,12 @@ <h3>Full version history</h3> </tr> </thead> <tbody> + <tr> + <th scope="row">5.30.8 + </th> + <td>2026-02-14</td> + <td><span class="code">wifiNetworks()</span> fixed CWE-78 command injection issue (linux)</td> + </tr> <tr> <th scope="row">5.30.7 </th>
docs/index.html+3 −3 modified@@ -166,11 +166,11 @@ <body> <header class="bg-image-full"> <div class="top-container"> - <a href="security.html" class="recommendation">Security advisory:<br>Update to v5.27.14</a> + <a href="security.html" class="recommendation">Security advisory:<br>Update to v5.30.8</a> <img class="logo" src="assets/logo.png" alt="logo"> <div class="title">systeminformation</div> <div class="subtitle"><span id="typed"></span> </div> - <div class="version">New Version: <span id="version">5.30.7</span></div> + <div class="version">New Version: <span id="version">5.30.8</span></div> <button class="btn btn-light" onclick="location.href='https://github.com/sebhildebrandt/systeminformation'">View on Github <i class=" fab fa-github"></i></button> </div> <div class="down"> @@ -212,7 +212,7 @@ <div class="title">Downloads last month</div> </div> <div class="col-xl-4 col-lg-4 col-md-4 col-12"> - <div class="numbers">957</div> + <div class="numbers">969</div> <div class="title">Dependents</div> </div> </div>
docs/security.html+15 −1 modified@@ -44,6 +44,21 @@ <div class="col-12 sectionheader"> <div class="title">Security Advisories</div> <div class="text"> + <h2>wifiNetworks Command Injection Vulnerability</h2> + <p><span class="bold">Affected versions:</span> + < 5.30.8<br> + <span class="bold">Date:</span> 2026-02-14<br> + <span class="bold">CVE indentifier</span> ... + </p> + + <h4>Impact</h4> + <p>We had an issue that there was a possibility to perform a potential command injection possibility by manipulating SSIDs in <span class="code">wifiNetworks()</span> on linux machines.</p> + + <h4>Patch</h4> + <p>Problem was fixed with parameter checking. If you are using version 5, please upgrade to version >= 5.30.8.</p> + <hr> + <br> + <h2>fsSize Command Injection Vulnerability</h2> <p><span class="bold">Affected versions:</span> < 5.27.14<br> @@ -58,7 +73,6 @@ <h4>Patch</h4> <p>Problem was fixed with parameter checking. If you are using version 5, please upgrade to version >= 5.27.14.</p> <hr> <br> - <h2>SSID Command Injection Vulnerability</h2> <p><span class="bold">Affected versions:</span> < 5.23.7<br>
lib/wifi.js+2 −2 modified@@ -437,8 +437,8 @@ function wifiNetworks(callback) { const res = getWifiNetworkListIw(ifaceSanitized); if (res === -1) { // try again after 4 secs - setTimeout((iface) => { - const res = getWifiNetworkListIw(iface); + setTimeout(() => { + const res = getWifiNetworkListIw(ifaceSanitized); if (res !== -1) { result = res; }
README.md+1 −1 modified@@ -31,7 +31,7 @@ ## The Systeminformation Project This is amazing. Started as a small project just for myself, it now has > 19,000 -lines of code, > 700 versions published, up to 15 mio downloads per month, > 450 +lines of code, > 700 versions published, up to 20 mio downloads per month, > 480 mio downloads overall. Top 10 NPM ranking for backend packages. Thank you to all who contributed to this project!
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-9c88-49p5-5ggfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-26280ghsaADVISORY
- github.com/sebhildebrandt/systeminformation/commit/22242aa56188f2bffcbd7d265a11e1ebb808b460ghsax_refsource_MISCWEB
- github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-9c88-49p5-5ggfghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.