CVE-2026-26280

Name of the Vulnerable Software and Affected Versions systeminformation versions prior to 5.30.8

Description The software contains a command injection issue in the wifiNetworks() function. This allows an attacker to execute arbitrary OS commands through an unsanitized network interface parameter during a retry process. Specifically, the wifiNetworks() function sanitizes the iface parameter initially, but a subsequent retry call to getWifiNetworkListIw(iface) uses the original, unsanitized iface value. This unsanitized value is then passed directly to the execSync('iwlist ${iface} scan') command. Any application providing user-controlled input to the si.wifiNetworks() function is susceptible to arbitrary command execution with the privileges of the Node.js process. The vulnerable code is located in lib/wifi.js lines 440-441.

Recommendations Versions prior to 5.30.8 should be updated to version 5.30.8 or later.