Cyber Resilience

CVE-2026-26280

HighPublic PoCUpdated

Published: 19 February 2026

Published
19 February 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0111 61.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-26280 is a high-severity OS Command Injection (CWE-78) vulnerability in Systeminformation Systeminformation. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 38.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-26280 is a command injection vulnerability in the systeminformation library for Node.js, affecting versions prior to 5.30.8. The issue resides in the wifiNetworks() function within lib/wifi.js, where the network interface parameter (iface) is sanitized on the initial call (line 437). However, if the initial scan returns empty results, a setTimeout retry (lines 440-441) invokes getWifiNetworkListIw(iface) with the original unsanitized iface value, which is directly passed to execSync('iwlist ${iface} scan'). This allows arbitrary OS commands to be executed. The vulnerability is rated with a CVSS score of 8.4 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-78 (OS Command Injection).

A local attacker can exploit this vulnerability by providing malicious user-controlled input as the iface parameter to si.wifiNetworks() in any application using the library. No privileges are required (PR:N), and exploitation requires low complexity with local access (AV:L) but no user interaction (UI:N). Successful exploitation enables arbitrary command execution with the privileges of the Node.js process, potentially leading to high confidentiality, integrity, and availability impacts (C:H/I:H/A:H).

The GitHub security advisory (GHSA-9c88-49p5-5ggf) and the fixing commit (22242aa56188f2bffcbd7d265a11e1ebb808b460) confirm that upgrading to version 5.30.8 resolves the issue by ensuring proper sanitization in the retry path. Applications passing user-controlled input to si.wifiNetworks() should update immediately to mitigate the risk of command injection.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

systeminformation is a System and OS information library for node.js. In versions prior to 5.30.8, a command injection vulnerability in the `wifiNetworks()` function allows an attacker to execute arbitrary OS commands via an unsanitized network interface parameter in the retry…

more

code path. In `lib/wifi.js`, the `wifiNetworks()` function sanitizes the `iface` parameter on the initial call (line 437). However, when the initial scan returns empty results, a `setTimeout` retry (lines 440-441) calls `getWifiNetworkListIw(iface)` with the **original unsanitized** `iface` value, which is passed directly to `execSync('iwlist ${iface} scan')`. Any application passing user-controlled input to `si.wifiNetworks()` is vulnerable to arbitrary command execution with the privileges of the Node.js process. Version 5.30.8 fixes the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Command injection in wifiNetworks() directly enables arbitrary Unix shell command execution via unsanitized input to execSync('iwlist ${iface} scan').

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-26318Same product: Systeminformation Systeminformation
CVE-2024-55590Shared CWE-78
CVE-2026-45629Shared CWE-78
CVE-2026-45630Shared CWE-78
CVE-2025-34227Shared CWE-78
CVE-2026-1460Shared CWE-78
CVE-2025-22606Shared CWE-78
CVE-2026-31386Shared CWE-78
CVE-2024-57019Shared CWE-78
CVE-2026-45152Shared CWE-78

Affected Assets

systeminformation
systeminformation
≤ 5.30.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and patching of the command injection flaw in systeminformation versions prior to 5.30.8, directly eliminating the vulnerability.

prevent

Mandates validation of the user-controlled 'iface' parameter before passing it to si.wifiNetworks(), preventing unsanitized input from reaching the execSync command in the retry path.

prevent

Enforces least privilege for the Node.js process, limiting the scope and impact of arbitrary command execution resulting from successful exploitation.

References