CVE-2026-26318

Name of the Vulnerable Software and Affected Versions systeminformation versions prior to 5.31.0

Description The systeminformation library for node.js is susceptible to command injection through unsanitized output from the locate command within the versions() function. This occurs when detecting the PostgreSQL version on Linux systems. The locate command searches a system-wide database for filenames, and if any indexed filename contains shell metacharacters (specifically semicolons), these characters can be interpreted by the shell when passed to the exec() function. The vulnerability requires the target system to be running Linux, have locate installed, and contain a PostgreSQL binary in the locate database. An attacker can create files on the filesystem that, when indexed by updatedb, allow for arbitrary command execution with the privileges of the Node.js process. The issue is triggered when the versions() function is called, potentially in scenarios like monitoring dashboards, CI/CD pipelines, or containerized environments. The vulnerability is exploitable if the attacker can create files on the filesystem and the locate database is updated. Approximately 5,000,000+ downloads occur weekly.

Recommendations Versions prior to 5.31.0 should be updated to version 5.31.0 or later. Replace exec() with execFile() for the PostgreSQL binary version check. Additionally, the locate output should be validated against a safe path pattern before use.