CVE-2026-26318 in systeminformation
Summary
by MITRE • 02/19/2026
systeminformation is a System and OS information library for node.js. Versions prior to 5.31.0 are vulnerable to command injection via unsanitized `locate` output in `versions()`. Version 5.31.0 fixes the issue.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/04/2026
The vulnerability identified as CVE-2026-26318 affects the systeminformation node.js library, which serves as a comprehensive system and operating system information gathering tool. This library is widely used by developers to collect hardware and software details from various operating systems, making it a critical component in system monitoring and diagnostic applications. The vulnerability stems from improper input sanitization within the library's version detection functionality, specifically in how it processes output from the locate command during version enumeration operations.
The technical flaw manifests in the versions() function where the library fails to properly sanitize the output from the locate command before processing it. This unsanitized output becomes vulnerable to command injection attacks, allowing malicious actors to execute arbitrary commands on systems where the vulnerable library is installed. The vulnerability is particularly concerning because the locate command is commonly used to find files on Unix-like systems, and its output can be manipulated by attackers who control file paths or create malicious file structures. When the systeminformation library processes this unsanitized output, it inadvertently executes commands that are embedded within the locate command results, creating a direct path for remote code execution.
The operational impact of this vulnerability extends beyond simple command execution, as it can lead to complete system compromise when the vulnerable library is used in applications that handle untrusted input or when deployed in environments where attackers can influence file system structures. Attackers can leverage this vulnerability to escalate privileges, install backdoors, exfiltrate sensitive data, or disrupt system operations. The vulnerability affects all versions prior to 5.31.0, making it particularly widespread since many applications may be using older versions of the library. This issue aligns with CWE-78, which describes improper neutralization of special elements used in OS commands, and represents a classic command injection vulnerability that can be exploited through various attack vectors including file system manipulation and input validation bypasses.
Mitigation strategies should focus on immediate patching to version 5.31.0 or later, which contains the necessary fixes to sanitize locate command outputs before processing. Organizations should conduct thorough inventory checks to identify all systems and applications using vulnerable versions of the systeminformation library and ensure proper update deployment. Additional defensive measures include implementing network segmentation to limit access to systems running vulnerable applications, monitoring for suspicious command execution patterns, and conducting regular security assessments of node.js applications that utilize systeminformation. The fix implemented in version 5.31.0 likely involves proper input validation and sanitization of command outputs, following security best practices that align with the ATT&CK framework's command and control techniques. Organizations should also consider implementing application whitelisting policies and restricting file system access for applications that use systeminformation to minimize potential exploitation surfaces.