CVE-2020-26274: 
JavaScript vulnerability analysis and mitigation

In systeminformation (npm package) before version 4.31.1 there is a command injection vulnerability. The vulnerability was discovered and disclosed in December 2020, affecting all versions of the package prior to 4.31.1. The vulnerability specifically impacts the systeminformation npm package, which is a system and OS information library for Node.js (GitHub Advisory, NVD).

The vulnerability is classified as a command injection vulnerability (CWE-78: Improper Neutralization of Special Elements used in an OS Command). It received a CVSS v3.1 base score of 8.8 HIGH from NIST NVD, with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. GitHub assigned it a CVSS score of 6.4 MEDIUM with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD).

The vulnerability could allow an attacker to execute arbitrary OS commands through command injection, potentially leading to unauthorized access, data manipulation, or system compromise (GitHub Advisory).

The vulnerability was fixed in version 4.31.1 with a shell string sanitation fix. Users are recommended to upgrade to version 4.31.1 or later. If upgrading is not possible, users should check or sanitize service parameter strings that are passed to si.inetLatency() (GitHub Advisory).