2482416 – (CVE-2026-44724) CVE-2026-44724 systeminformation: systeminformation: Command injection via NetworkManager connection profile name

Bug 2482416 (CVE-2026-44724) - CVE-2026-44724 systeminformation: systeminformation: Command injection via NetworkManager connection profile name

Summary: CVE-2026-44724 systeminformation: systeminformation: Command injection via Ne...

Keywords:
Status:	NEW
Alias:	CVE-2026-44724
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-05-27 21:02 UTC by OSIDB Bzimport
Modified:	2026-06-09 11:58 UTC (History)
CC List:	21 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-05-27 21:02:37 UTC

systeminformation is a System and OS information library for node.js. From 4.17.0 to 5.31.5, on Linux, systeminformation is vulnerable to command injection in networkInterfaces() when an active NetworkManager connection profile name contains shell metacharacters. The vulnerable value is obtained internally from real nmcli device status output. The library sanitizes the network interface name before using it in shell commands, but it does not apply equivalent sanitization to the parsed NetworkManager connection profile name. That unsanitized connectionName is then interpolated into three shell command strings executed through execSync(). This vulnerability is fixed in 5.31.6.

Note You need to log in before you can comment on or make changes to this bug.

aazores
abarbaro
alcohan
alizardo
cmah
eaguilar
ebaron
gparvin
jbalunas
jchui
jhe
jkoehler
jolong
ktsao
lphiri
nboldt
oaljalju
pahickey
pjindal
psrna
rhaigner