Command injection in systeminformation - CVE-2026-26280
Published: May 11, 2026
Vulnerability identifier: #VU130996
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-26280
CWE-ID: CWE-77
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Sebastian Hildebrandt
Affected software:
systeminformation
systeminformation
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary OS commands.
The vulnerability exists due to command injection in the wifiNetworks() retry path in lib/wifi.js when processing a user-supplied network interface parameter after an initial scan returns empty results. A remote attacker can supply a crafted interface value to execute arbitrary OS commands.
The issue occurs because the retry path passes the original unsanitized iface value to getWifiNetworkListIw(), which invokes execSync with an iwlist command.
How to mitigate CVE-2026-26280
Install security update from vendor's website.