CVE-2026-44724

Name of the Vulnerable Software and Affected Versions systeminformation versions 4.17.0 through 5.31.5

Description On Linux, the library is subject to command injection within the networkInterfaces() function. This occurs when an active NetworkManager connection profile name contains shell metacharacters. The vulnerable value is retrieved internally from the output of the nmcli device status command. While the library sanitizes network interface names, it fails to apply the same sanitization to the parsed connectionName variable. This unsanitized variable is subsequently interpolated into three shell command strings executed via execSync(), allowing an attacker who can create or rename a NetworkManager connection profile to execute arbitrary shell commands with the privileges of the Node.js process.

Recommendations Update to version 5.31.6. As a temporary workaround, restrict the ability of users to create or rename NetworkManager connection profiles on affected Linux systems.