SB2026051177 - Command injection in systeminformation
Published: May 11, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Command injection (CVE-ID: CVE-2026-26280)
CWE-ID: CWE-77 - Command injection
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to execute arbitrary OS commands.
The vulnerability exists due to command injection in the wifiNetworks() retry path in lib/wifi.js when processing a user-supplied network interface parameter after an initial scan returns empty results. A remote attacker can supply a crafted interface value to execute arbitrary OS commands.
The issue occurs because the retry path passes the original unsanitized iface value to getWifiNetworkListIw(), which invokes execSync with an iwlist command.
Remediation
Install update from vendor's website.