CVE-2026-44724
Deferred Deferred - Pending Action
Command Injection in systeminformation Library

Publication date: 2026-05-27

Last updated on: 2026-06-01

Assigner: GitHub, Inc.

Description
systeminformation is a System and OS information library for node.js. From 4.17.0 to 5.31.5, on Linux, systeminformation is vulnerable to command injection in networkInterfaces() when an active NetworkManager connection profile name contains shell metacharacters. The vulnerable value is obtained internally from real nmcli device status output. The library sanitizes the network interface name before using it in shell commands, but it does not apply equivalent sanitization to the parsed NetworkManager connection profile name. That unsanitized connectionName is then interpolated into three shell command strings executed through execSync(). This vulnerability is fixed in 5.31.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-01
Generated
2026-06-17
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-16
NVD
CVE-2026-44724
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
sebhildebrandt systeminformation From 4.17.0 (inc) to 5.31.5 (inc)
sebhildebrandt systeminformation 5.31.6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-44724 is a high-severity command injection vulnerability in the systeminformation library for Linux systems, specifically in the networkInterfaces() function.

The vulnerability arises because the library sanitizes network interface names but does not sanitize NetworkManager connection profile names, which can contain shell metacharacters.

These unsanitized connection profile names are interpolated directly into shell commands executed via execSync(), allowing an attacker who can create or rename an active NetworkManager connection profile to inject and execute arbitrary shell commands with the privileges of the Node.js process.

This issue affects versions 4.17.0 through 5.31.5 of the systeminformation npm package and was fixed in version 5.31.6.

Compliance Impact

The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

This vulnerability allows an attacker with local access to create or rename a NetworkManager connection profile with malicious shell commands embedded in its name.

When the networkInterfaces() function is called, these malicious commands are executed with the privileges of the Node.js process running the systeminformation library.

The impact includes potential full compromise of the affected system, unauthorized access to sensitive environment variables and process context data, and execution of arbitrary commands leading to confidentiality, integrity, and availability breaches.

Detection Guidance

This vulnerability can be detected by checking if your system is running a vulnerable version of the systeminformation library (versions 4.17.0 through 5.31.5) on Linux. Specifically, you should inspect active NetworkManager connection profile names for the presence of shell metacharacters, as these unsanitized names are the root cause of the command injection.

You can use the nmcli command to list active NetworkManager connection profiles and examine their names for suspicious characters that could be used for command injection.

  • Run `nmcli connection show --active` to list active connection profiles.
  • Inspect the output for profile names containing shell metacharacters such as `;`, `&`, `|`, `$`, `>`, `<`, or backticks.
  • If you are using the systeminformation library, calling the `networkInterfaces()` function may trigger the vulnerability if such profile names exist.
Mitigation Strategies

The immediate mitigation step is to upgrade the systeminformation library to version 5.31.6 or later, where the vulnerability is fixed.

Until the upgrade is applied, avoid using or creating NetworkManager connection profiles with names containing shell metacharacters, as these can be exploited for command injection.

Additionally, consider restricting permissions to prevent untrusted users from creating or renaming NetworkManager connection profiles.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44724. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart