GHSA-9c88-49p5-5ggf
Systeminformation has a Command Injection via unsanitized interface parameter in wifi.js retry path
Details
### Summary A command injection vulnerability in the `wifiNetworks()` function allows an attacker to execute arbitrary OS commands via an unsanitized network interface parameter in the retry code path.
### Details In `lib/wifi.js`, the `wifiNetworks()` function sanitizes the `iface` parameter on the initial call (line 437). However, when the initial scan returns empty results, a `setTimeout` retry (lines 440-441) calls `getWifiNetworkListIw(iface)` with the **original unsanitized** `iface` value, which is passed directly to `execSync('iwlist ${iface} scan')`.
### PoC 1. Install `systeminformation@5.30.7` 2. Call `si.wifiNetworks('eth0; id')` 3. The first call sanitizes input, but if results are empty, the retry executes: `iwlist eth0; id scan`
### Impact Remote Code Execution (RCE). Any application passing user-controlled input to `si.wifiNetworks()` is vulnerable to arbitrary command execution with the privileges of the Node.js process.
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-9c88-49p5-5ggf [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-26280 [ADVISORY]
- https://github.com/sebhildebrandt/systeminformation/commit/22242aa56188f2bffcbd7d265a11e1ebb808b460 [WEB]
- https://github.com/sebhildebrandt/systeminformation [PACKAGE]