{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-26318","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2026-02-13T16:27:51.807Z","datePublished":"2026-02-19T19:48:55.816Z","dateUpdated":"2026-06-30T12:08:10.621Z"},"containers":{"cna":{"title":"systeminformation has Command Injection via Unsanitized `locate` Output in `versions()`","problemTypes":[{"descriptions":[{"cweId":"CWE-78","lang":"en","description":"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","version":"3.1"}}],"references":[{"name":"https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-5vv4-hvf7-2h46","tags":["x_refsource_CONFIRM"],"url":"https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-5vv4-hvf7-2h46"},{"name":"https://github.com/sebhildebrandt/systeminformation/commit/b67d3715eec881038ccbaace2f2711419ac3e107","tags":["x_refsource_MISC"],"url":"https://github.com/sebhildebrandt/systeminformation/commit/b67d3715eec881038ccbaace2f2711419ac3e107"}],"affected":[{"vendor":"sebhildebrandt","product":"systeminformation","versions":[{"version":"< 5.31.0","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-02-19T19:48:55.816Z"},"descriptions":[{"lang":"en","value":"systeminformation is a System and OS information library for node.js. Versions prior to 5.31.0 are vulnerable to command injection via unsanitized `locate` output in `versions()`. Version 5.31.0 fixes the issue."}],"source":{"advisory":"GHSA-5vv4-hvf7-2h46","discovery":"UNKNOWN"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-02-19T20:57:34.116139Z","id":"CVE-2026-26318","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-02-19T21:21:25.502Z"}},{"affected":[{"cpes":["cpe:/a:redhat:rhdh:1"],"defaultStatus":"affected","product":"Red Hat Developer Hub","vendor":"Red Hat"}],"datePublic":"2026-02-19T19:48:55.816Z","descriptions":[{"lang":"en","value":"A flaw was found in systeminformation, a System and OS information library for node.js. This vulnerability allows a local attacker with low privileges to inject and execute arbitrary commands due to unsanitized output from the `locate` command within the `versions()` function. Successful exploitation can lead to high impact on confidentiality, integrity, and availability of the affected system."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-78","description":"Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-26318"},{"name":"RHBZ#2441124","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2441124"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-26318.json"}],"timeline":[{"lang":"en","time":"2026-02-19T21:03:55.660Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-02-19T19:48:55.816Z","value":"Made public."}],"title":"systeminformation: systeminformation: Arbitrary code execution via unsanitized `locate` output","workarounds":[{"lang":"en","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-06-30T12:08:10.621Z"}}]}}