SB2026051178 - OS Command Injection in systeminformation



SB2026051178 - OS Command Injection in systeminformation

Published: May 11, 2026

Security Bulletin ID SB2026051178
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Local access
Highest impact Code execution

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) OS Command Injection (CVE-ID: CVE-2026-44724)

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to execute arbitrary commands.

The vulnerability exists due to command injection in networkInterfaces() in lib/network.js when processing an active NetworkManager connection profile name obtained from nmcli output. A local user can create or rename an active NetworkManager connection profile with shell metacharacters to execute arbitrary commands.

The injected command runs with the privileges of the calling Node.js process.


Remediation

Install update from vendor's website.