CVE-2026-26280
Published: 19 February 2026
Summary
CVE-2026-26280 is a high-severity OS Command Injection (CWE-78) vulnerability in Systeminformation Systeminformation. Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 8.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and patching of the command injection flaw in systeminformation versions prior to 5.30.8, directly eliminating the vulnerability.
Mandates validation of the user-controlled 'iface' parameter before passing it to si.wifiNetworks(), preventing unsanitized input from reaching the execSync command in the retry path.
Enforces least privilege for the Node.js process, limiting the scope and impact of arbitrary command execution resulting from successful exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in wifiNetworks() directly enables arbitrary Unix shell command execution via unsanitized input to execSync('iwlist ${iface} scan').
NVD Description
systeminformation is a System and OS information library for node.js. In versions prior to 5.30.8, a command injection vulnerability in the `wifiNetworks()` function allows an attacker to execute arbitrary OS commands via an unsanitized network interface parameter in the retry…
more
code path. In `lib/wifi.js`, the `wifiNetworks()` function sanitizes the `iface` parameter on the initial call (line 437). However, when the initial scan returns empty results, a `setTimeout` retry (lines 440-441) calls `getWifiNetworkListIw(iface)` with the **original unsanitized** `iface` value, which is passed directly to `execSync('iwlist ${iface} scan')`. Any application passing user-controlled input to `si.wifiNetworks()` is vulnerable to arbitrary command execution with the privileges of the Node.js process. Version 5.30.8 fixes the issue.
Deeper analysisAI
CVE-2026-26280 is a command injection vulnerability in the systeminformation library for Node.js, affecting versions prior to 5.30.8. The issue resides in the wifiNetworks() function within lib/wifi.js, where the network interface parameter (iface) is sanitized on the initial call (line 437). However, if the initial scan returns empty results, a setTimeout retry (lines 440-441) invokes getWifiNetworkListIw(iface) with the original unsanitized iface value, which is directly passed to execSync('iwlist ${iface} scan'). This allows arbitrary OS commands to be executed. The vulnerability is rated with a CVSS score of 8.4 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-78 (OS Command Injection).
A local attacker can exploit this vulnerability by providing malicious user-controlled input as the iface parameter to si.wifiNetworks() in any application using the library. No privileges are required (PR:N), and exploitation requires low complexity with local access (AV:L) but no user interaction (UI:N). Successful exploitation enables arbitrary command execution with the privileges of the Node.js process, potentially leading to high confidentiality, integrity, and availability impacts (C:H/I:H/A:H).
The GitHub security advisory (GHSA-9c88-49p5-5ggf) and the fixing commit (22242aa56188f2bffcbd7d265a11e1ebb808b460) confirm that upgrading to version 5.30.8 resolves the issue by ensuring proper sanitization in the retry path. Applications passing user-controlled input to si.wifiNetworks() should update immediately to mitigate the risk of command injection.
Details
- CWE(s)