{"api_version":"1","generated_at":"2026-07-17T15:55:31+00:00","cve":"CVE-2026-26318","urls":{"html":"https://cve.report/CVE-2026-26318","api":"https://cve.report/api/cve/CVE-2026-26318.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-26318","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-26318"},"summary":{"title":"systeminformation has Command Injection via Unsanitized `locate` Output in `versions()`","description":"systeminformation is a System and OS information library for node.js. Versions prior to 5.31.0 are vulnerable to command injection via unsanitized `locate` output in `versions()`. Version 5.31.0 fixes the issue.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-02-19 20:25:44","updated_at":"2026-07-15 02:19:01"},"problem_types":["CWE-78","CWE-78 CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"],"metrics":[{"version":"3.1","source":"ADP","type":"CVSS","score":"8.8","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","data":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","version":"3.1"}},{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"8.8","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","type":"Secondary","score":"8.8","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"8.8","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","data":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","version":"3.1"}}],"references":[{"url":"https://github.com/sebhildebrandt/systeminformation/commit/b67d3715eec881038ccbaace2f2711419ac3e107","name":"https://github.com/sebhildebrandt/systeminformation/commit/b67d3715eec881038ccbaace2f2711419ac3e107","refsource":"security-advisories@github.com","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2441124","name":"https://bugzilla.redhat.com/show_bug.cgi?id=2441124","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/security/cve/CVE-2026-26318","name":"https://access.redhat.com/security/cve/CVE-2026-26318","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-26318.json","name":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-26318.json","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-5vv4-hvf7-2h46","name":"https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-5vv4-hvf7-2h46","refsource":"security-advisories@github.com","tags":["Exploit","Mitigation","Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-26318","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-26318","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"sebhildebrandt","product":"systeminformation","version":"affected < 5.31.0","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Developer Hub","version":"","platforms":[]}],"timeline":[{"source":"ADP","time":"2026-02-19T21:03:55.660Z","lang":"en","value":"Reported to Red Hat."},{"source":"ADP","time":"2026-02-19T19:48:55.816Z","lang":"en","value":"Made public."}],"solutions":[],"workarounds":[{"source":"ADP","title":"","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.","time":"","lang":"en"}],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"26318","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"systeminformation","cpe5":"systeminformation","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"node.js","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"26318","cve":"CVE-2026-26318","epss":"0.011500000","percentile":"0.632760000","score_date":"2026-07-16","updated_at":"2026-07-17 00:05:21"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-26318","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-02-19T20:57:34.116139Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-02-19T21:21:25.502Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"},{"affected":[{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:rhdh:1"],"defaultStatus":"affected","packageName":"rhdh/rhdh-hub-rhel9","product":"Red Hat Developer Hub","vendor":"Red Hat"}],"datePublic":"2026-02-19T19:48:55.816Z","descriptions":[{"lang":"en","value":"A flaw was found in systeminformation, a System and OS information library for node.js. This vulnerability allows a local attacker with low privileges to inject and execute arbitrary commands due to unsanitized output from the `locate` command within the `versions()` function. Successful exploitation can lead to high impact on confidentiality, integrity, and availability of the affected system."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-78","description":"Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-07-15T01:15:02.230Z","orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP"},"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-26318"},{"name":"RHBZ#2441124","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2441124"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-26318.json"}],"timeline":[{"lang":"en","time":"2026-02-19T21:03:55.660Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-02-19T19:48:55.816Z","value":"Made public."}],"title":"systeminformation: systeminformation: Arbitrary code execution via unsanitized `locate` output","workarounds":[{"lang":"en","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"}}],"cna":{"affected":[{"product":"systeminformation","vendor":"sebhildebrandt","versions":[{"status":"affected","version":"< 5.31.0"}]}],"descriptions":[{"lang":"en","value":"systeminformation is a System and OS information library for node.js. Versions prior to 5.31.0 are vulnerable to command injection via unsanitized `locate` output in `versions()`. Version 5.31.0 fixes the issue."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-78","description":"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-02-19T19:48:55.816Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-5vv4-hvf7-2h46","tags":["x_refsource_CONFIRM"],"url":"https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-5vv4-hvf7-2h46"},{"name":"https://github.com/sebhildebrandt/systeminformation/commit/b67d3715eec881038ccbaace2f2711419ac3e107","tags":["x_refsource_MISC"],"url":"https://github.com/sebhildebrandt/systeminformation/commit/b67d3715eec881038ccbaace2f2711419ac3e107"}],"source":{"advisory":"GHSA-5vv4-hvf7-2h46","discovery":"UNKNOWN"},"title":"systeminformation has Command Injection via Unsanitized `locate` Output in `versions()`"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-26318","datePublished":"2026-02-19T19:48:55.816Z","dateReserved":"2026-02-13T16:27:51.807Z","dateUpdated":"2026-07-15T01:15:02.230Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-02-19 20:25:44","lastModifiedDate":"2026-07-15 02:19:01","problem_types":["CWE-78","CWE-78 CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2,"impactScore":6},{"source":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2,"impactScore":6}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-02-19T20:57:34.116139Z","id":"CVE-2026-26318","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:systeminformation:systeminformation:*:*:*:*:*:node.js:*:*","versionEndExcluding":"5.31.0","matchCriteriaId":"809E119A-47CB-4DDB-BB2B-A587E4D50E15"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"26318","Ordinal":"1","Title":"systeminformation has Command Injection via Unsanitized `locate`","CVE":"CVE-2026-26318","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"26318","Ordinal":"1","NoteData":"systeminformation is a System and OS information library for node.js. Versions prior to 5.31.0 are vulnerable to command injection via unsanitized `locate` output in `versions()`. Version 5.31.0 fixes the issue.","Type":"Description","Title":"systeminformation has Command Injection via Unsanitized `locate`"}]}}}