๐Ÿ” CVE Alert

CVE-2026-50289

UNKNOWN 0.0

systeminformation: OS command injection in networkInterfaces() via interfaces(5) source-directive path on Linux

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

systeminformation is a System and OS information library for node.js. Prior to 5.31.7, networkInterfaces() on Linux is vulnerable to OS command injection through the Debian/Ubuntu interfaces(5) source directive because lib/network.js checkLinuxDCHPInterfaces() reads /etc/network/interfaces, extracts a source <path> token from file content, and interpolates it unquoted into cat ${file} 2> /dev/null | grep 'iface\|source' executed by execSync(cmd, util.execOptsLinux), allowing a path containing shell metacharacters to execute commands in any process that calls networkInterfaces(), including via getStaticData() and getAllData(). This issue is fixed in version 5.31.7.

CWE CWE-78
Vendor sebhildebrandt
Product systeminformation
Published Jul 17, 2026
Stay Ahead of the Next One

Get instant alerts for sebhildebrandt systeminformation

Be the first to know when new unknown vulnerabilities affecting sebhildebrandt systeminformation are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

sebhildebrandt / systeminformation
< 5.31.7

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-5xpp-75jx-m839 github.com: https://github.com/sebhildebrandt/systeminformation/commit/bbfddde48672d0ee124fefdb3cb4442fd9dd4f03 github.com: https://github.com/sebhildebrandt/systeminformation/releases/tag/v5.31.7