Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.4
Systeminformation wifi Networks Function Allows Malicious Command Execution
CVE-2026-26280
GHSA-9c88-49p5-5ggf
Summary
The Systeminformation wifiNetworks function does not properly check network interface inputs, allowing an attacker to execute any operating system command. This could allow a hacker to take control of your system if your app uses this function and doesn't validate the input. Update to the latest version of Systeminformation to fix this issue.
What to do
- Update plusinnovations systeminformation to version 5.30.8.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| plusinnovations | systeminformation | <= 5.30.8 | 5.30.8 |
| systeminformation | systeminformation | <= 5.30.8 | – |
Original title
Systeminformation has a Command Injection via unsanitized interface parameter in wifi.js retry path
Original description
### Summary
A command injection vulnerability in the `wifiNetworks()` function allows an attacker to execute arbitrary OS commands via an unsanitized network interface parameter in the retry code path.
### Details
In `lib/wifi.js`, the `wifiNetworks()` function sanitizes the `iface` parameter on the initial call (line 437). However, when the initial scan returns empty results, a `setTimeout` retry (lines 440-441) calls `getWifiNetworkListIw(iface)` with the **original unsanitized** `iface` value, which is passed directly to `execSync('iwlist ${iface} scan')`.
### PoC
1. Install `[email protected]`
2. Call `si.wifiNetworks('eth0; id')`
3. The first call sanitizes input, but if results are empty, the retry executes: `iwlist eth0; id scan`
### Impact
Remote Code Execution (RCE). Any application passing user-controlled input to `si.wifiNetworks()` is vulnerable to arbitrary command execution with the privileges of the Node.js process.
A command injection vulnerability in the `wifiNetworks()` function allows an attacker to execute arbitrary OS commands via an unsanitized network interface parameter in the retry code path.
### Details
In `lib/wifi.js`, the `wifiNetworks()` function sanitizes the `iface` parameter on the initial call (line 437). However, when the initial scan returns empty results, a `setTimeout` retry (lines 440-441) calls `getWifiNetworkListIw(iface)` with the **original unsanitized** `iface` value, which is passed directly to `execSync('iwlist ${iface} scan')`.
### PoC
1. Install `[email protected]`
2. Call `si.wifiNetworks('eth0; id')`
3. The first call sanitizes input, but if results are empty, the retry executes: `iwlist eth0; id scan`
### Impact
Remote Code Execution (RCE). Any application passing user-controlled input to `si.wifiNetworks()` is vulnerable to arbitrary command execution with the privileges of the Node.js process.
nvd CVSS3.1
7.8
Vulnerability type
CWE-78
OS Command Injection
Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026