VulnerableCode Package Details - pkg:npm/systeminformation@5.10.4

Search for packages

Vulnerability	Summary	Fixed by
VCID-3fru-mhkb-wbgv Aliases: CVE-2026-26318 GHSA-5vv4-hvf7-2h46	systeminformation is a System and OS information library for node.js. Versions prior to 5.31.0 are vulnerable to command injection via unsanitized `locate` output in `versions()`. Version 5.31.0 fixes the issue.	5.31.0 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-6q9r-ugta-abgg Aliases: CVE-2026-26280 GHSA-9c88-49p5-5ggf	systeminformation is a System and OS information library for node.js. In versions prior to 5.30.8, a command injection vulnerability in the `wifiNetworks()` function allows an attacker to execute arbitrary OS commands via an unsanitized network interface parameter in the retry code path. In `lib/wifi.js`, the `wifiNetworks()` function sanitizes the `iface` parameter on the initial call (line 437). However, when the initial scan returns empty results, a `setTimeout` retry (lines 440-441) calls `getWifiNetworkListIw(iface)` with the original unsanitized `iface` value, which is passed directly to `execSync('iwlist ${iface} scan')`. Any application passing user-controlled input to `si.wifiNetworks()` is vulnerable to arbitrary command execution with the privileges of the Node.js process. Version 5.30.8 fixes the issue.	5.30.8 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-b1fj-5bry-fbe3 Aliases: CVE-2026-44724 GHSA-hvx9-hwr7-wjj9	systeminformation is a System and OS information library for node.js. From 4.17.0 to 5.31.5, on Linux, systeminformation is vulnerable to command injection in networkInterfaces() when an active NetworkManager connection profile name contains shell metacharacters. The vulnerable value is obtained internally from real nmcli device status output. The library sanitizes the network interface name before using it in shell commands, but it does not apply equivalent sanitization to the parsed NetworkManager connection profile name. That unsanitized connectionName is then interpolated into three shell command strings executed through execSync(). This vulnerability is fixed in 5.31.6.	5.31.6 Affected by 0 other vulnerabilities.
VCID-h7tm-aa2g-duaf Aliases: CVE-2024-56334 GHSA-cvv5-9h9w-qp2m	systeminformation is a System and OS information library for node.js. In affected versions SSIDs are not sanitized when before they are passed as a parameter to cmd.exe in the `getWindowsIEEE8021x` function. This means that malicious content in the SSID can be executed as OS commands. This vulnerability may enable an attacker, depending on how the package is used, to perform remote code execution or local privilege escalation. This issue has been addressed in version 5.23.7 and all users are advised to upgrade. There are no known workarounds for this vulnerability.	5.23.7 Affected by 0 other vulnerabilities. 5.23.8 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-ttk2-a8bm-fqh1 Aliases: CVE-2023-42810 GHSA-gx6r-qc2v-3p3v	systeminformation is a System Information Library for Node.JS. Versions 5.0.0 through 5.21.6 have a SSID Command Injection Vulnerability. The problem was fixed with a parameter check in version 5.21.7. As a workaround, check or sanitize parameter strings that are passed to `wifiConnections()`, `wifiNetworks()` (string only).	5.21.7 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-uskg-xb2k-x3dq Aliases: CVE-2025-68154 GHSA-wphj-fx3q-84ch	systeminformation is a System and OS information library for node.js. In versions prior to 5.27.14, the `fsSize()` function in systeminformation is vulnerable to OS command injection on Windows systems. The optional `drive` parameter is directly concatenated into a PowerShell command without sanitization, allowing arbitrary command execution when user-controlled input reaches this function. The actual exploitability depends on how applications use this function. If an application does not pass user-controlled input to `fsSize()`, it is not vulnerable. Version 5.27.14 contains a patch.	5.27.14 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-3fru-mhkb-wbgv
Aliases:
CVE-2026-26318
GHSA-5vv4-hvf7-2h46

systeminformation is a System and OS information library for node.js. Versions prior to 5.31.0 are vulnerable to command injection via unsanitized `locate` output in `versions()`. Version 5.31.0 fixes the issue.

5.31.0
Affected by 1 other vulnerability.

VCID-6q9r-ugta-abgg
Aliases:
CVE-2026-26280
GHSA-9c88-49p5-5ggf

systeminformation is a System and OS information library for node.js. In versions prior to 5.30.8, a command injection vulnerability in the `wifiNetworks()` function allows an attacker to execute arbitrary OS commands via an unsanitized network interface parameter in the retry code path. In `lib/wifi.js`, the `wifiNetworks()` function sanitizes the `iface` parameter on the initial call (line 437). However, when the initial scan returns empty results, a `setTimeout` retry (lines 440-441) calls `getWifiNetworkListIw(iface)` with the **original unsanitized** `iface` value, which is passed directly to `execSync('iwlist ${iface} scan')`. Any application passing user-controlled input to `si.wifiNetworks()` is vulnerable to arbitrary command execution with the privileges of the Node.js process. Version 5.30.8 fixes the issue.

5.30.8
Affected by 2 other vulnerabilities.

VCID-b1fj-5bry-fbe3
Aliases:
CVE-2026-44724
GHSA-hvx9-hwr7-wjj9

systeminformation is a System and OS information library for node.js. From 4.17.0 to 5.31.5, on Linux, systeminformation is vulnerable to command injection in networkInterfaces() when an active NetworkManager connection profile name contains shell metacharacters. The vulnerable value is obtained internally from real nmcli device status output. The library sanitizes the network interface name before using it in shell commands, but it does not apply equivalent sanitization to the parsed NetworkManager connection profile name. That unsanitized connectionName is then interpolated into three shell command strings executed through execSync(). This vulnerability is fixed in 5.31.6.

5.31.6
Affected by 0 other vulnerabilities.

VCID-h7tm-aa2g-duaf
Aliases:
CVE-2024-56334
GHSA-cvv5-9h9w-qp2m

systeminformation is a System and OS information library for node.js. In affected versions SSIDs are not sanitized when before they are passed as a parameter to cmd.exe in the `getWindowsIEEE8021x` function. This means that malicious content in the SSID can be executed as OS commands. This vulnerability may enable an attacker, depending on how the package is used, to perform remote code execution or local privilege escalation. This issue has been addressed in version 5.23.7 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

5.23.7
Affected by 0 other vulnerabilities.

5.23.8
Affected by 4 other vulnerabilities.

VCID-ttk2-a8bm-fqh1
Aliases:
CVE-2023-42810
GHSA-gx6r-qc2v-3p3v

systeminformation is a System Information Library for Node.JS. Versions 5.0.0 through 5.21.6 have a SSID Command Injection Vulnerability. The problem was fixed with a parameter check in version 5.21.7. As a workaround, check or sanitize parameter strings that are passed to `wifiConnections()`, `wifiNetworks()` (string only).

5.21.7
Affected by 5 other vulnerabilities.

VCID-uskg-xb2k-x3dq
Aliases:
CVE-2025-68154
GHSA-wphj-fx3q-84ch

systeminformation is a System and OS information library for node.js. In versions prior to 5.27.14, the `fsSize()` function in systeminformation is vulnerable to OS command injection on Windows systems. The optional `drive` parameter is directly concatenated into a PowerShell command without sanitization, allowing arbitrary command execution when user-controlled input reaches this function. The actual exploitability depends on how applications use this function. If an application does not pass user-controlled input to `fsSize()`, it is not vulnerable. Version 5.27.14 contains a patch.

5.27.14
Affected by 3 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T22:30:24.614073+00:00	GitLab Importer	Affected by	VCID-b1fj-5bry-fbe3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/systeminformation/CVE-2026-44724.yml	38.6.0
2026-06-12T21:00:29.403536+00:00	GitLab Importer	Affected by	VCID-3fru-mhkb-wbgv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/systeminformation/CVE-2026-26318.yml	38.6.0
2026-06-12T21:00:20.582514+00:00	GitLab Importer	Affected by	VCID-6q9r-ugta-abgg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/systeminformation/CVE-2026-26280.yml	38.6.0
2026-06-12T20:40:36.672042+00:00	GitLab Importer	Affected by	VCID-uskg-xb2k-x3dq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/systeminformation/CVE-2025-68154.yml	38.6.0
2026-06-12T19:48:36.773341+00:00	GitLab Importer	Affected by	VCID-h7tm-aa2g-duaf	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/systeminformation/CVE-2024-56334.yml	38.6.0
2026-06-12T19:06:34.514426+00:00	GitLab Importer	Affected by	VCID-ttk2-a8bm-fqh1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/systeminformation/CVE-2023-42810.yml	38.6.0