Systeminformation has a Command Injection via unsanitized interface parameter in wifi.js retry path
GHSA-9c88-49p5-5ggf · CVE-2026-26280
Published · Modified
Description
Summary
A command injection vulnerability in the wifiNetworks() function allows an attacker to execute arbitrary OS commands via an unsanitized network interface parameter in the retry code path.
Details
In lib/wifi.js, the wifiNetworks() function sanitizes the iface parameter on the initial call (line 437). However, when the initial scan returns empty results, a setTimeout retry (lines 440-441) calls getWifiNetworkListIw(iface) with the original unsanitized iface value, which is passed directly to execSync('iwlist ${iface} scan').
PoC
- Install
systeminformation@5.30.7 - Call
si.wifiNetworks('eth0; id') - The first call sanitizes input, but if results are empty, the retry executes:
iwlist eth0; id scan
Impact
Remote Code Execution (RCE). Any application passing user-controlled input to si.wifiNetworks() is vulnerable to arbitrary command execution with the privileges of the Node.js process.
References
- WEB https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-9c88-49p5-5ggf
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-26280
- WEB https://github.com/sebhildebrandt/systeminformation/commit/22242aa56188f2bffcbd7d265a11e1ebb808b460
- PACKAGE https://github.com/sebhildebrandt/systeminformation
Ready to move
Start Securing
Free, no credit card | First findings in minutes