SB2026051177 - Command injection in systeminformation



SB2026051177 - Command injection in systeminformation

Published: May 11, 2026

Security Bulletin ID SB2026051177
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Local access
Highest impact Code execution

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Command injection (CVE-ID: CVE-2026-26280)

CWE-ID: CWE-77 - Command injection

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to execute arbitrary OS commands.

The vulnerability exists due to command injection in the wifiNetworks() retry path in lib/wifi.js when processing a user-supplied network interface parameter after an initial scan returns empty results. A remote attacker can supply a crafted interface value to execute arbitrary OS commands.

The issue occurs because the retry path passes the original unsanitized iface value to getWifiNetworkListIw(), which invokes execSync with an iwlist command.


Remediation

Install update from vendor's website.