PatchSiren cyber security CVE debrief
CVE-2026-44724 sebhildebrandt CVE debrief
CVE-2026-44724 is a command injection vulnerability in the systeminformation Node.js library affecting versions 4.17.0 through 5.31.5 on Linux systems. The vulnerability exists in the networkInterfaces() function, where an unsanitized NetworkManager connection profile name—obtained from nmcli device status output—is interpolated into shell command strings executed via execSync(). While the library sanitizes network interface names, it fails to apply equivalent sanitization to the parsed connectionName value. An attacker with local access and the ability to influence NetworkManager connection profile names could inject shell metacharacters to achieve arbitrary code execution. The CVSS 3.1 score of 7.8 (HIGH) reflects the local attack vector with low attack complexity, low privileges required, and high impacts to confidentiality, integrity, and availability. This vulnerability was disclosed on May 27, 2026, and is fixed in version 5.31.6.
- Vendor
- sebhildebrandt
- Product
- systeminformation
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Organizations running Node.js applications on Linux that depend on systeminformation versions 4.17.0 through 5.31.5, particularly those in multi-user environments where NetworkManager connection profiles may be attacker-influenced. Development teams using systeminformation for system inventory or monitoring should prioritize patching.
Technical summary
The systeminformation library (4.17.0-5.31.5) on Linux fails to sanitize NetworkManager connection profile names obtained from nmcli output before interpolating them into shell commands via execSync(). This allows command injection when connection profile names contain shell metacharacters. The vulnerability is in networkInterfaces() and is fixed in 5.31.6.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade systeminformation to version 5.31.6 or later to remediate the command injection vulnerability
- Audit NetworkManager connection profile names on Linux systems for unexpected shell metacharacters as a detection measure
- Review application code for any custom parsing of nmcli output that may replicate this sanitization gap
- Implement input validation and sanitization for any system-derived values passed to shell execution functions in Node.js applications
- Consider using execFile or spawn with argument arrays instead of execSync with string interpolation to reduce command injection risk
- Monitor for anomalous process execution from Node.js applications using systeminformation on affected versions
Evidence notes
Vulnerability confirmed through GitHub Security Advisory GHSA-hvx9-hwr7-wjj9. Affected versions explicitly stated as 4.17.0 to 5.31.5. Fix version 5.31.6 confirmed. CWE-78 (OS Command Injection) assigned. CVSS vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H supports HIGH severity rating.
Official resources
-
CVE-2026-44724 CVE record
CVE.org
-
CVE-2026-44724 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-27