CVE-2026-26318
published 2026-02-19CVE-2026-26318: systeminformation is a System and OS information library for node.js. Versions prior to 5.31.0 are vulnerable to command injection via unsanitized `locate`…
PriorityP353high8.8CVSS 3.1
AVLACLPRLUINSCCHIHAH
EPSS
1.15%
62.9th percentile
systeminformation is a System and OS information library for node.js. Versions prior to 5.31.0 are vulnerable to command injection via unsanitized `locate` output in `versions()`. Version 5.31.0 fixes the issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sebhildebrandt | systeminformation | < 5.31.0 | 5.31.0 |
| systeminformation | systeminformation | < 5.31.0 | 5.31.0 |
| systeminformation | systeminformation | >= 0 < 5.31.0 | 5.31.0 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
systeminformation: systeminformation: Arbitrary code execution via unsanitized `locate` output
vendor_redhat·2026-02-19·CVSS 8.8
CVE-2026-26318 [HIGH] CWE-78 systeminformation: systeminformation: Arbitrary code execution via unsanitized `locate` output
systeminformation: systeminformation: Arbitrary code execution via unsanitized `locate` output
systeminformation is a System and OS information library for node.js. Versions prior to 5.31.0 are vulnerable to command injection via unsanitized `locate` output in `versions()`. Version 5.31.0 fixes the issue.
A flaw was found in systeminformation, a System and OS information library for node.js. This vulnerability allows a local attacker with low privileges to inject and execute arbitrary commands due to unsanitized output from the `locate` command within the `versions()` function. Successful exploitation can lead to high impact on confidentiality, integrity, and availability of the affected system.
Mitigation: Mitigation for this issue is either not available or the currently available opt
VulDB
sebhildebrandt systeminformation up to 5.30.x versions os command injection (GHSA-5vv4-hvf7-2h46 / Nessus ID 318409)
vuldb·2026-07-01·CVSS 8.8
CVE-2026-26318 [HIGH] sebhildebrandt systeminformation up to 5.30.x versions os command injection (GHSA-5vv4-hvf7-2h46 / Nessus ID 318409)
A vulnerability was found in sebhildebrandt systeminformation up to 5.30.x. It has been declared as critical. The affected element is the function versions. The manipulation results in os command injection.
This vulnerability was named CVE-2026-26318. The attack needs to be approached locally. There is no available exploit.
It is recommended to upgrade the affected component.
GHSA
Command Injection via Unsanitized `locate` Output in `versions()` — systeminformation
ghsa·2026-02-18
CVE-2026-26318 [HIGH] CWE-78 Command Injection via Unsanitized `locate` Output in `versions()` — systeminformation
Command Injection via Unsanitized `locate` Output in `versions()` — systeminformation
# Command Injection via Unsanitized `locate` Output in `versions()` — systeminformation
**Package:** systeminformation (npm)
**Tested Version:** 5.30.7
**Affected Platform:** Linux
**Author:** Sebastian Hildebrandt
**Weekly Downloads:** ~5,000,000+
**Repository:** https://github.com/sebhildebrandt/systeminformation
**Severity:** Medium
**CWE:** CWE-78 (OS Command Injection)
---
### The Vulnerable Code Path
Inside the `versions()` function, when detecting the PostgreSQL version on Linux, the code does this:
```javascript
// lib/osinfo.js — lines 770-776
exec('locate bin/postgres', (error, stdout) => {
if (!error) {
const postgresqlBin = stdout.toString().split('\n').sort();
if (postgresqlBin.length)
OSV
Command Injection via Unsanitized `locate` Output in `versions()` — systeminformation
osv·2026-02-18
CVE-2026-26318 [HIGH] Command Injection via Unsanitized `locate` Output in `versions()` — systeminformation
Command Injection via Unsanitized `locate` Output in `versions()` — systeminformation
# Command Injection via Unsanitized `locate` Output in `versions()` — systeminformation
**Package:** systeminformation (npm)
**Tested Version:** 5.30.7
**Affected Platform:** Linux
**Author:** Sebastian Hildebrandt
**Weekly Downloads:** ~5,000,000+
**Repository:** https://github.com/sebhildebrandt/systeminformation
**Severity:** Medium
**CWE:** CWE-78 (OS Command Injection)
---
### The Vulnerable Code Path
Inside the `versions()` function, when detecting the PostgreSQL version on Linux, the code does this:
```javascript
// lib/osinfo.js — lines 770-776
exec('locate bin/postgres', (error, stdout) => {
if (!error) {
const postgresqlBin = stdout.toString().split('\n').sort();
if (postgresqlBin.length)
No detection rules found.
No public exploits indexed.
https://github.com/sebhildebrandt/systeminformation/commit/b67d3715eec881038ccbaace2f2711419ac3e107https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-5vv4-hvf7-2h46https://access.redhat.com/security/cve/CVE-2026-26318https://bugzilla.redhat.com/show_bug.cgi?id=2441124https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-26318.json
2026-02-19
Published