npm package
systeminformation
pkg:npm/systeminformation
Vulnerabilities (13)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-44724 | hig | — | >= 4.17.0, < 5.31.6 | 5.31.6 | May 13, 2026 | ## Summary On Linux, `systeminformation` is vulnerable to command injection in `networkInterfaces()` when an **active NetworkManager connection profile name** contains shell metacharacters. This is not caused by a caller passing attacker-controlled arguments into `networkInterf | |
| CVE-2026-26318 | — | < 5.31.0 | 5.31.0 | Feb 19, 2026 | systeminformation is a System and OS information library for node.js. Versions prior to 5.31.0 are vulnerable to command injection via unsanitized `locate` output in `versions()`. Version 5.31.0 fixes the issue. | ||
| CVE-2026-26280 | — | < 5.30.8 | 5.30.8 | Feb 19, 2026 | systeminformation is a System and OS information library for node.js. In versions prior to 5.30.8, a command injection vulnerability in the `wifiNetworks()` function allows an attacker to execute arbitrary OS commands via an unsanitized network interface parameter in the retry co | ||
| CVE-2025-68154 | — | < 5.27.14 | 5.27.14 | Dec 16, 2025 | systeminformation is a System and OS information library for node.js. In versions prior to 5.27.14, the `fsSize()` function in systeminformation is vulnerable to OS command injection on Windows systems. The optional `drive` parameter is directly concatenated into a PowerShell com | ||
| CVE-2024-56334 | Hig | 7.8 | < 5.23.7 | 5.23.7 | Dec 20, 2024 | systeminformation is a System and OS information library for node.js. In affected versions SSIDs are not sanitized when before they are passed as a parameter to cmd.exe in the `getWindowsIEEE8021x` function. This means that malicious content in the SSID can be executed as OS comm | |
| CVE-2023-42810 | — | >= 5.0.0, < 5.21.7 | 5.21.7 | Sep 21, 2023 | systeminformation is a System Information Library for Node.JS. Versions 5.0.0 through 5.21.6 have a SSID Command Injection Vulnerability. The problem was fixed with a parameter check in version 5.21.7. As a workaround, check or sanitize parameter strings that are passed to `wifiC | ||
| CVE-2020-26300 | — | < 4.26.2 | 4.26.2 | Sep 9, 2021 | systeminformation is an npm package that provides system and OS information library for node.js. In systeminformation before version 4.26.2 there is a command injection vulnerability. Problem was fixed in version 4.26.2 with a shell string sanitation fix. | ||
| CVE-2021-21388 | — | < 5.6.4 | 5.6.4 | Apr 29, 2021 | systeminformation is an open source system and OS information library for node.js. A command injection vulnerability has been discovered in versions of systeminformation prior to 5.6.4. The issue has been fixed with a parameter check on user input. Please upgrade to version >= 5. | ||
| CVE-2021-21315 | — | KEV | < 5.3.1 | 5.3.1 | Feb 16, 2021 | The System Information Library for Node.JS (npm package "systeminformation") is an open source collection of functions to retrieve detailed hardware, system and OS information. In systeminformation before version 5.3.1 there is a command injection vulnerability. Problem was fixed | |
| CVE-2020-26274 | — | < 4.31.1 | 4.31.1 | Dec 16, 2020 | In systeminformation (npm package) before version 4.31.1 there is a command injection vulnerability. The problem was fixed in version 4.31.1 with a shell string sanitation fix. | ||
| CVE-2020-26245 | — | < 4.30.5 | 4.30.5 | Nov 27, 2020 | npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. The issue is fixed in version 4.30.5. If you cannot upgrade, be s | ||
| CVE-2020-7778 | — | < 4.30.2 | 4.30.2 | Nov 26, 2020 | This affects the package systeminformation before 4.30.2. The attacker can overwrite the properties and functions of an object, which can lead to executing OS commands. | ||
| CVE-2020-7752 | — | < 4.27.11 | 4.27.11 | Oct 26, 2020 | This affects the package systeminformation before 4.27.11. This package is vulnerable to Command Injection. The attacker can concatenate curl's parameters to overwrite Javascript files and then execute any OS commands. |
- affected >= 4.17.0, < 5.31.6fixed 5.31.6
## Summary On Linux, `systeminformation` is vulnerable to command injection in `networkInterfaces()` when an **active NetworkManager connection profile name** contains shell metacharacters. This is not caused by a caller passing attacker-controlled arguments into `networkInterf
- CVE-2026-26318Feb 19, 2026affected < 5.31.0fixed 5.31.0
systeminformation is a System and OS information library for node.js. Versions prior to 5.31.0 are vulnerable to command injection via unsanitized `locate` output in `versions()`. Version 5.31.0 fixes the issue.
- CVE-2026-26280Feb 19, 2026affected < 5.30.8fixed 5.30.8
systeminformation is a System and OS information library for node.js. In versions prior to 5.30.8, a command injection vulnerability in the `wifiNetworks()` function allows an attacker to execute arbitrary OS commands via an unsanitized network interface parameter in the retry co
- CVE-2025-68154Dec 16, 2025affected < 5.27.14fixed 5.27.14
systeminformation is a System and OS information library for node.js. In versions prior to 5.27.14, the `fsSize()` function in systeminformation is vulnerable to OS command injection on Windows systems. The optional `drive` parameter is directly concatenated into a PowerShell com
- affected < 5.23.7fixed 5.23.7
systeminformation is a System and OS information library for node.js. In affected versions SSIDs are not sanitized when before they are passed as a parameter to cmd.exe in the `getWindowsIEEE8021x` function. This means that malicious content in the SSID can be executed as OS comm
- CVE-2023-42810Sep 21, 2023affected >= 5.0.0, < 5.21.7fixed 5.21.7
systeminformation is a System Information Library for Node.JS. Versions 5.0.0 through 5.21.6 have a SSID Command Injection Vulnerability. The problem was fixed with a parameter check in version 5.21.7. As a workaround, check or sanitize parameter strings that are passed to `wifiC
- CVE-2020-26300Sep 9, 2021affected < 4.26.2fixed 4.26.2
systeminformation is an npm package that provides system and OS information library for node.js. In systeminformation before version 4.26.2 there is a command injection vulnerability. Problem was fixed in version 4.26.2 with a shell string sanitation fix.
- CVE-2021-21388Apr 29, 2021affected < 5.6.4fixed 5.6.4
systeminformation is an open source system and OS information library for node.js. A command injection vulnerability has been discovered in versions of systeminformation prior to 5.6.4. The issue has been fixed with a parameter check on user input. Please upgrade to version >= 5.
- affected < 5.3.1fixed 5.3.1
The System Information Library for Node.JS (npm package "systeminformation") is an open source collection of functions to retrieve detailed hardware, system and OS information. In systeminformation before version 5.3.1 there is a command injection vulnerability. Problem was fixed
- CVE-2020-26274Dec 16, 2020affected < 4.31.1fixed 4.31.1
In systeminformation (npm package) before version 4.31.1 there is a command injection vulnerability. The problem was fixed in version 4.31.1 with a shell string sanitation fix.
- CVE-2020-26245Nov 27, 2020affected < 4.30.5fixed 4.30.5
npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. The issue is fixed in version 4.30.5. If you cannot upgrade, be s
- CVE-2020-7778Nov 26, 2020affected < 4.30.2fixed 4.30.2
This affects the package systeminformation before 4.30.2. The attacker can overwrite the properties and functions of an object, which can lead to executing OS commands.
- CVE-2020-7752Oct 26, 2020affected < 4.27.11fixed 4.27.11
This affects the package systeminformation before 4.27.11. This package is vulnerable to Command Injection. The attacker can concatenate curl's parameters to overwrite Javascript files and then execute any OS commands.