OS Command Injection in systeminformation - CVE-2026-44724
Published: May 11, 2026
Vulnerability identifier: #VU130997
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-44724
CWE-ID: CWE-78
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Sebastian Hildebrandt
Affected software:
systeminformation
systeminformation
Detailed vulnerability description
The vulnerability allows a local user to execute arbitrary commands.
The vulnerability exists due to command injection in networkInterfaces() in lib/network.js when processing an active NetworkManager connection profile name obtained from nmcli output. A local user can create or rename an active NetworkManager connection profile with shell metacharacters to execute arbitrary commands.
The injected command runs with the privileges of the calling Node.js process.
How to mitigate CVE-2026-44724
Install security update from vendor's website.