CVE-2026-26318 — Command Injection via Unsanitized `locate` Output in `versions()`

Description

systeminformation is a System and OS information library for node.js. Versions prior to 5.31.0 are vulnerable to command injection via unsanitized `locate` output in `versions()`. Version 5.31.0 fixes the issue.

How to fix CVE-2026-26318

To remediate CVE-2026-26318, upgrade the affected package to a fixed version below.

—no fix listed
—no fix listed
—upgrade to 5.31.0 or later

Is CVE-2026-26318 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0
from 0
from 0, < 5.31.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-26318
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-26318
PATCHgithub.com/sebhildebrandt/systeminformation
WEBgithub.com/sebhildebrandt/systeminformation/commit/b67d3715eec881038ccbaace2f2711419ac3e107