Cyber Posture

CVE-2026-26318

HighPublic PoC

Published: 19 February 2026

Published
19 February 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0002 5.7th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26318 is a high-severity OS Command Injection (CWE-78) vulnerability in Systeminformation Systeminformation. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 5.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-10 (Software Usage Restrictions) and RA-5 (Vulnerability Monitoring and Scanning).

Threat & Defense at a Glance

What attackers do: exploitation maps to Unix Shell (T1059.004) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly requires timely remediation of the command injection flaw in systeminformation versions prior to 5.31.0 by applying the available patch.

RA-5 Vulnerability Monitoring and Scanning good match
detect

Vulnerability scanning identifies the presence of vulnerable systeminformation library versions affected by CVE-2026-26318.

CM-10 Software Usage Restrictions good match
prevent

Restricts deployment and use of unapproved software versions, preventing installation of vulnerable systeminformation prior to 5.31.0.

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

CWE-78 command injection in Node.js library directly enables Unix shell command execution (T1059.004) via unsanitized locate invocation; local low-priv access with scope change (S:C) and full system impact enables exploitation for privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

systeminformation is a System and OS information library for node.js. Versions prior to 5.31.0 are vulnerable to command injection via unsanitized `locate` output in `versions()`. Version 5.31.0 fixes the issue.

Deeper analysisAI

CVE-2026-26318 is a command injection vulnerability (CWE-78) in the systeminformation library, a System and OS information tool for Node.js. Versions prior to 5.31.0 are affected due to unsanitized output from the `locate` command within the `versions()` function, allowing arbitrary command execution.

The vulnerability requires local access (AV:L), low attack complexity (AC:L), and low privileges (PR:L), with no user interaction (UI:N). Exploitation leads to a scope change (S:C) and high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), resulting in a CVSS v3.1 base score of 8.8. A local low-privileged attacker can inject and execute commands, potentially achieving full system compromise.

Version 5.31.0 of systeminformation resolves the issue. Additional details are available in the GitHub security advisory at GHSA-5vv4-hvf7-2h46 and the fixing commit b67d3715eec881038ccbaace2f2711419ac3e107.

Details

CWE(s)
CWE-78

Affected Products

systeminformation
systeminformation
≤ 5.31.0

CVEs Like This One

CVE-2026-26280Same product: Systeminformation Systeminformation
CVE-2026-5208Shared CWE-78
CVE-2025-10589Shared CWE-78
CVE-2026-22277Shared CWE-78
CVE-2026-34955Shared CWE-78
CVE-2025-56108Shared CWE-78
CVE-2025-23383Shared CWE-78
CVE-2026-22229Shared CWE-78
CVE-2025-24378Shared CWE-78
CVE-2026-33641Shared CWE-78

References