HarborGuard / CVE
Back to search
HIGHCVE-2026-44724Published Modified CNA GitHub_M

CVE-2026-44724: systeminformation: Linux command injection in networkInterfaces() via unsanitized NetworkManager connection profile name

systeminformation is a System and OS information library for node.js. From 4.17.0 to 5.31.5, on Linux, systeminformation is vulnerable to command injection in networkInterfaces() when an active NetworkManager connection profile name contains shell metacharacters. The vulnerable value is obtained internally from real nmcli device status output. The library sanitizes the network interface name before using it in shell commands, but it does not apply equivalent sanitization to the parsed NetworkManager connection profile name. That unsanitized connectionName is then interpolated into three shell command strings executed through execSync(). This vulnerability is fixed in 5.31.6.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Command injection in the systeminformation Node.js library (versions 4.17.0 through 5.31.5) allows a local attacker with a low-privilege account to inject shell metacharacters via a crafted NetworkManager connection profile name, which is then interpolated unsanitized into shell commands executed through execSync(). The flaw is reachable locally and requires no user interaction once the malicious profile name is in place. Successful exploitation gives the attacker full read, write, and execution capability on the host, equivalent to remote code execution at the privilege level of the Node.js process. A patched-image rebuild at version 5.31.6 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle the systeminformation package directly or as a transitive dependency.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 7.8 HIGH and weighting it against each environment's compliance policy to surface it at the appropriate severity tier. Routing to the relevant team inbox within each customer organization is available based on image ownership and policy configuration.

Available
Patch

Because the upstream fix is published at version 5.31.6, a patched-image rebuild at that version is available on HarborGuard for any environment found running an affected release. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run regression tests, and open a pull request against affected workloads automatically.

Pending upstream

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network access to the service is required.

  • AuthenticationRequired

    Any low-privilege local account is sufficient; the attacker does not need administrative or root credentials to trigger the injection.

  • Victim interactionNot required

    No user action is needed once a malicious NetworkManager connection profile name is present on the system.

  • Attack complexityDetail

    The exploit is reliable and condition-free once the crafted profile name exists; no race conditions or special memory layout are required.

Blast Radius

  • An attacker can read arbitrary files accessible to the Node.js process, including application secrets, environment variables, and stored credentials.
  • An attacker can write or overwrite files on the host, modifying application code, configuration, or persistent data.
  • An attacker can execute arbitrary shell commands at the privilege level of the running Node.js process, enabling lateral movement or privilege escalation.
  • The affected service can be crashed or made unavailable by injecting commands that terminate the process or exhaust host resources.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-44724 is matched against all images in connected registries and pipelines within minutes of advisory ingestion, covering both direct and transitive inclusion of systeminformation. A patched-image rebuild pinned to version 5.31.6 is available for any environment where an affected version (4.17.0 through 5.31.5) is identified. For customers who opt into auto-remediation, HarborGuard can rebuild the image, run a regression test suite, and open a pull request against affected workloads; for HIGH-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit automated remediation, the finding is routed to the appropriate team inbox with CVSS context and fix-version detail so engineers can act manually. As an interim compensating control, restricting which local accounts can create or modify NetworkManager connection profiles limits the attacker's ability to plant the malicious profile name that triggers the injection.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
Affected Products
1
Affected packages
  • sebhildebrandt / systeminformation
    >= 4.17.0, < 5.31.6
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References