Search for packages
| purl | pkg:npm/systeminformation@3.49.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2wps-we57-tufd
Aliases: CVE-2020-7778 GHSA-8j36-q8x7-pm6q |
OS Command Injection in systeminformation |
Affected by 9 other vulnerabilities. |
|
VCID-3fru-mhkb-wbgv
Aliases: CVE-2026-26318 GHSA-5vv4-hvf7-2h46 |
systeminformation is a System and OS information library for node.js. Versions prior to 5.31.0 are vulnerable to command injection via unsanitized `locate` output in `versions()`. Version 5.31.0 fixes the issue. |
Affected by 1 other vulnerability. |
|
VCID-5pyu-6292-efhw
Aliases: CVE-2021-21315 GHSA-2m8v-572m-ff2v |
The System Information Library for Node.JS (npm package "systeminformation") is an open source collection of functions to retrieve detailed hardware, system and OS information. In systeminformation before version 5.3.1 there is a command injection vulnerability. Problem was fixed in version 5.3.1. As a workaround instead of upgrading, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() ... do only allow strings, reject any arrays. String sanitation works as expected. |
Affected by 7 other vulnerabilities. |
|
VCID-6q9r-ugta-abgg
Aliases: CVE-2026-26280 GHSA-9c88-49p5-5ggf |
systeminformation is a System and OS information library for node.js. In versions prior to 5.30.8, a command injection vulnerability in the `wifiNetworks()` function allows an attacker to execute arbitrary OS commands via an unsanitized network interface parameter in the retry code path. In `lib/wifi.js`, the `wifiNetworks()` function sanitizes the `iface` parameter on the initial call (line 437). However, when the initial scan returns empty results, a `setTimeout` retry (lines 440-441) calls `getWifiNetworkListIw(iface)` with the **original unsanitized** `iface` value, which is passed directly to `execSync('iwlist ${iface} scan')`. Any application passing user-controlled input to `si.wifiNetworks()` is vulnerable to arbitrary command execution with the privileges of the Node.js process. Version 5.30.8 fixes the issue. |
Affected by 2 other vulnerabilities. |
|
VCID-h7tm-aa2g-duaf
Aliases: CVE-2024-56334 GHSA-cvv5-9h9w-qp2m |
systeminformation is a System and OS information library for node.js. In affected versions SSIDs are not sanitized when before they are passed as a parameter to cmd.exe in the `getWindowsIEEE8021x` function. This means that malicious content in the SSID can be executed as OS commands. This vulnerability may enable an attacker, depending on how the package is used, to perform remote code execution or local privilege escalation. This issue has been addressed in version 5.23.7 and all users are advised to upgrade. There are no known workarounds for this vulnerability. |
Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-ksqy-dhbn-sba3
Aliases: CVE-2020-7752 GHSA-94xh-2fmc-xf5j |
systeminformation command injection vulnerability |
Affected by 10 other vulnerabilities. |
|
VCID-kytk-ajna-1bg5
Aliases: CVE-2021-21388 GHSA-jff2-qjw8-5476 |
systeminformation is an open source system and OS information library for node.js. A command injection vulnerability has been discovered in versions of systeminformation prior to 5.6.4. The issue has been fixed with a parameter check on user input. Please upgrade to version >= 5.6.4. If you cannot upgrade, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() and other commands. Only allow strings, reject any arrays. String sanitation works as expected. |
Affected by 6 other vulnerabilities. |
|
VCID-mkjs-q8k2-3fhw
Aliases: CVE-2020-26300 GHSA-fj59-f6c3-3vw4 |
Command Injection in systeminformation |
Affected by 11 other vulnerabilities. |
|
VCID-q21u-zavq-jbhb
Aliases: CVE-2020-26274 GHSA-m57p-p67h-mq74 |
In systeminformation (npm package) before version 4.31.1 there is a command injection vulnerability. The problem was fixed in version 4.31.1 with a shell string sanitation fix. |
Affected by 7 other vulnerabilities. |
|
VCID-uskg-xb2k-x3dq
Aliases: CVE-2025-68154 GHSA-wphj-fx3q-84ch |
systeminformation is a System and OS information library for node.js. In versions prior to 5.27.14, the `fsSize()` function in systeminformation is vulnerable to OS command injection on Windows systems. The optional `drive` parameter is directly concatenated into a PowerShell command without sanitization, allowing arbitrary command execution when user-controlled input reaches this function. The actual exploitability depends on how applications use this function. If an application does not pass user-controlled input to `fsSize()`, it is not vulnerable. Version 5.27.14 contains a patch. |
Affected by 3 other vulnerabilities. |
|
VCID-ya36-81up-4yg8
Aliases: CVE-2020-26245 GHSA-4v2w-h9jm-mqjg |
npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. The issue is fixed in version 4.30.5. If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to si.inetChecksite(). |
Affected by 8 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||