Fluid Attacks Database

Description

systeminformation is a System and OS information library for node.js. Versions prior to 5.31.0 are vulnerable to command injection via unsanitized locate output in versions(). Version 5.31.0 fixes the issue.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	systeminformation	>=0 <5.31.0	5.31.0
debian 13	jupyterlab	=4.0.11+ds1+~cs11.25.27-7 \|\| =4.0.11+ds1+~cs11.25.27-8 \|\| =4.0.11+ds1+~cs11.25.27-9 \|\| =4.0.11+ds2+~cs11.25.27-1 \|\| =4.0.11+ds2+~cs11.25.27-3 \|\| =4.0.11+ds3+~cs11.25.27-1 \|\| =4.0.11+ds4+~cs11.25.27-1 \|\| =4.0.11+ds4+~cs11.25.27-2 \|\| =4.0.11+ds4+~cs11.25.27-3 \|\| =4.0.11+ds4+~cs11.25.27-4 \|\| =4.0.11+ds5+~cs11.25.27-1 \|\| =4.0.13+ds1+~2.0.1+~cs1.4.4-1	-
debian 14	jupyterlab	=4.0.11+ds1+~cs11.25.27-7 \|\| =4.0.11+ds1+~cs11.25.27-8 \|\| =4.0.11+ds1+~cs11.25.27-9 \|\| =4.0.11+ds2+~cs11.25.27-1 \|\| =4.0.11+ds2+~cs11.25.27-3 \|\| =4.0.11+ds3+~cs11.25.27-1 \|\| =4.0.11+ds4+~cs11.25.27-1 \|\| =4.0.11+ds4+~cs11.25.27-2 \|\| =4.0.11+ds4+~cs11.25.27-3 \|\| =4.0.11+ds4+~cs11.25.27-4 \|\| >=0 <4.0.11+ds5+~cs11.25.27-1	4.0.11+ds5+~cs11.25.27-1

Aliases

1. CVE-2026-263182. NVD-2026-263183. OSV-2026-263184. OSV-DEBIAN-2026-263185. GHSA-5vv4-hvf7-2h466. GCVE-2026-263187. SECURITY-TRACKER-CVE-2026-26318

References

1. https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-5vv4-hvf7-2h462. https://github.com/sebhildebrandt/systeminformation/commit/b67d3715eec881038ccbaace2f2711419ac3e107