OS Command Injection Vulnerability in Systeminformation Library for Node.js
CVE-2026-50289

8.7HIGH

Key Information:

Vendor
CVE Published:
17 July 2026

What is CVE-2026-50289?

The Systeminformation library for Node.js is susceptible to an OS command injection vulnerability, allowing malicious actors to execute arbitrary commands. This issue arises from the improper handling of file paths within the networkInterfaces() function when executed on Linux systems. Specifically, the vulnerability occurs in versions prior to 5.31.7, where unquoted shell metacharacters in the source directive of the /etc/network/interfaces file can lead to the execution of arbitrary commands through a crafted path. This security flaw can impact any application utilizing the affected library, emphasizing the importance of updating to version 5.31.7 or later to mitigate the risk. For further details, please refer to the official advisory and the commit addressing this issue.

Affected Version(s)

systeminformation < 5.31.7

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.