CVE-2026-44724
published 2026-05-27CVE-2026-44724: systeminformation is a System and OS information library for node.js. From 4.17.0 to 5.31.5, on Linux, systeminformation is vulnerable to command injection in…
PriorityP347high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EPSS
0.62%
45.2th percentile
systeminformation is a System and OS information library for node.js. From 4.17.0 to 5.31.5, on Linux, systeminformation is vulnerable to command injection in networkInterfaces() when an active NetworkManager connection profile name contains shell metacharacters. The vulnerable value is obtained internally from real nmcli device status output. The library sanitizes the network interface name before using it in shell commands, but it does not apply equivalent sanitization to the parsed NetworkManager connection profile name. That unsanitized connectionName is then interpolated into three shell command strings executed through execSync(). This vulnerability is fixed in 5.31.6.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rhdh | rhdh-hub-rhel9 | — | — |
| rhoai | odh-mod-arch-automl-rhel9 | — | — |
| rhoai | odh-mod-arch-autorag-rhel9 | — | — |
| rhoai | odh-mod-arch-eval-hub-rhel9 | — | — |
| rhoai | odh-mod-arch-maas-rhel9 | — | — |
| rhoai | odh-mod-arch-mlflow-rhel9 | — | — |
| sebhildebrandt | systeminformation | — | — |
| systeminformation | systeminformation | >= 4.17.0 < 5.31.6 | 5.31.6 |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_redhat7.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Systeminformation vulnerable to Linux command injection in networkInterfaces() via unsanitized NetworkManager connection profile name
ghsa·2026-05-13
CVE-2026-44724 [HIGH] CWE-78 Systeminformation vulnerable to Linux command injection in networkInterfaces() via unsanitized NetworkManager connection profile name
Systeminformation vulnerable to Linux command injection in networkInterfaces() via unsanitized NetworkManager connection profile name
## Summary
On Linux, `systeminformation` is vulnerable to command injection in `networkInterfaces()` when an **active NetworkManager connection profile name** contains shell metacharacters.
This is not caused by a caller passing attacker-controlled arguments into `networkInterfaces()`. The vulnerable value is obtained internally from real `nmcli device status` output. The library sanitizes the network interface name before using it in shell commands, but it does **not** apply equivalent sanitization to the parsed NetworkManager connection profile name. That unsanitized `connectionName` is then interpolated into three shell command strings executed through
VulDB
sebhildebrandt systeminformation 5.23.7/5.27.14/5.30.8/5.31.0 Profile Name networkInterfaces command injection
vuldb·2026-05-13
CVE-2026-44724 [CRITICAL] sebhildebrandt systeminformation 5.23.7/5.27.14/5.30.8/5.31.0 Profile Name networkInterfaces command injection
A vulnerability was found in sebhildebrandt systeminformation 5.23.7/5.27.14/5.30.8/5.31.0. It has been declared as critical. The impacted element is the function networkInterfaces of the component Profile Name Handler. Such manipulation leads to command injection.
This vulnerability is documented as CVE-2026-44724. The attack needs to be performed locally. There is not any exploit available.
It is recommended to upgrade the affected component.
Red Hat
systeminformation: systeminformation: Command injection via NetworkManager connection profile name
vendor_redhat·2026-05-27·CVSS 7.8
CVE-2026-44724 [HIGH] CWE-78 systeminformation: systeminformation: Command injection via NetworkManager connection profile name
systeminformation: systeminformation: Command injection via NetworkManager connection profile name
systeminformation is a System and OS information library for node.js. From 4.17.0 to 5.31.5, on Linux, systeminformation is vulnerable to command injection in networkInterfaces() when an active NetworkManager connection profile name contains shell metacharacters. The vulnerable value is obtained internally from real nmcli device status output. The library sanitizes the network interface name before using it in shell commands, but it does not apply equivalent sanitization to the parsed NetworkManager connection profile name. That unsanitized connectionName is then interpolated into three shell command strings executed through execSync(). This vulnerability is fixed in 5.31.6.
A flaw was foun
No detection rules found.
No public exploits indexed.
https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-hvx9-hwr7-wjj9https://access.redhat.com/security/cve/CVE-2026-44724https://bugzilla.redhat.com/show_bug.cgi?id=2482416https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-hvx9-hwr7-wjj9https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-44724.json
2026-05-27
Published