OS Command Injection Affecting kibana-9.2-config package, versions *


Severity

Recommended
0.0
high
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

Social Trends
EPSS
1.23% (66th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-MINIMOSLATEST-KIBANA92CONFIG-15337578
  • published24 Feb 2026
  • disclosed19 Feb 2026

Introduced: 19 Feb 2026

CVE-2026-26280  (opens in a new tab)
CWE-78  (opens in a new tab)

How to fix?

There is no fixed version for Minimos:latest kibana-9.2-config.

NVD Description

Note: Versions mentioned in the description apply only to the upstream kibana-9.2-config package and not the kibana-9.2-config package as distributed by Minimos. See How to fix? for Minimos:latest relevant fixed versions and status.

systeminformation is a System and OS information library for node.js. In versions prior to 5.30.8, a command injection vulnerability in the wifiNetworks() function allows an attacker to execute arbitrary OS commands via an unsanitized network interface parameter in the retry code path. In lib/wifi.js, the wifiNetworks() function sanitizes the iface parameter on the initial call (line 437). However, when the initial scan returns empty results, a setTimeout retry (lines 440-441) calls getWifiNetworkListIw(iface) with the original unsanitized iface value, which is passed directly to execSync('iwlist ${iface} scan'). Any application passing user-controlled input to si.wifiNetworks() is vulnerable to arbitrary command execution with the privileges of the Node.js process. Version 5.30.8 fixes the issue.

CVSS Base Scores

version 3.1