SB2026051178 - OS Command Injection in systeminformation
Published: May 11, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) OS Command Injection (CVE-ID: CVE-2026-44724)
CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary commands.
The vulnerability exists due to command injection in networkInterfaces() in lib/network.js when processing an active NetworkManager connection profile name obtained from nmcli output. A local user can create or rename an active NetworkManager connection profile with shell metacharacters to execute arbitrary commands.
The injected command runs with the privileges of the calling Node.js process.
Remediation
Install update from vendor's website.