CVE-2026-26280 is an OS command injection vulnerability identified in the systeminformation library for Node.js, specifically in versions prior to 5.30.8. The vulnerability resides in the wifiNetworks() function within lib/wifi.js. Initially, the iface parameter (representing the network interface) is sanitized before use. However, if the initial scan returns no results, a retry mechanism triggers a setTimeout callback that calls getWifiNetworkListIw(iface) with the original, unsanitized iface parameter. This unsanitized input is directly interpolated into a shell command executed via execSync('iwlist ${iface} scan'). Because the iface parameter is not sanitized during this retry, an attacker who can influence this parameter can inject arbitrary OS commands, which execute with the privileges of the Node.js process running the library. This vulnerability is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command) and has a CVSS 3.1 base score of 8.4, indicating high severity. The attack vector is local (AV:L), requiring no privileges (PR:N) or user interaction (UI:N), and impacts confidentiality, integrity, and availability (C:H/I:H/A:H). No known exploits are reported in the wild yet. The issue was reserved on 2026-02-12 and published on 2026-02-19. The fix involves proper sanitization of the iface parameter during all code paths, implemented in version 5.30.8. This vulnerability is critical for applications that pass user-controlled input to the wifiNetworks() function, as it allows arbitrary command execution on the host system.

The vulnerability allows attackers to execute arbitrary OS commands with the privileges of the Node.js process, potentially leading to full system compromise. This can result in unauthorized data access or modification (confidentiality and integrity impact), service disruption or denial (availability impact), and lateral movement within networks. Since the vulnerability requires only local access or the ability to supply input to the iface parameter, it poses a significant risk in multi-tenant environments, shared hosting, or applications exposing this functionality to untrusted users. Organizations relying on systeminformation for network interface scanning in security monitoring, asset management, or diagnostics may inadvertently expose themselves to remote or local attackers. The high CVSS score reflects the broad impact and ease of exploitation once input control is achieved. The lack of known exploits in the wild suggests limited current exploitation but does not diminish the urgency for remediation given the severity and potential impact.

1. Upgrade the systeminformation library to version 5.30.8 or later, where the vulnerability is fixed. 2. Audit all code paths invoking wifiNetworks() to ensure no user-controlled input is passed to the iface parameter. 3. Implement strict input validation and sanitization on any network interface parameters before passing them to systeminformation functions. 4. Employ runtime application self-protection (RASP) or host-based intrusion detection systems (HIDS) to monitor and block suspicious command executions. 5. Restrict Node.js process privileges to the minimum necessary to limit the impact of potential exploitation. 6. Conduct code reviews and penetration testing focusing on injection vulnerabilities in native module calls and system command executions. 7. If upgrading immediately is not feasible, consider isolating or sandboxing the affected functionality to reduce risk. 8. Monitor security advisories and threat intelligence feeds for any emerging exploit attempts targeting this vulnerability.