Command Injection Affecting systeminformation package, versions >=4.17.0 <5.31.6
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-SYSTEMINFORMATION-16677388
- published14 May 2026
- disclosed13 May 2026
- creditAli Firas (thesmartshadow) thesmartshadow
Introduced: 13 May 2026
NewCVE-2026-44724 (opens in a new tab)How to fix?
Upgrade systeminformation to version 5.31.6 or higher.
Overview
systeminformation is a simple system and OS information library.
Affected versions of this package are vulnerable to Command Injection in the networkInterfaces function when handling NetworkManager connection profile names obtained from nmcli device status output. An attacker can execute arbitrary shell commands with the privileges of the calling Node.js process by creating or renaming an active NetworkManager connection profile to include shell metacharacters, which are then unsafely interpolated into shell commands executed by the process.