{
  "threat_severity" : "Important",
  "public_date" : "2026-02-19T19:48:55Z",
  "bugzilla" : {
    "description" : "systeminformation: systeminformation: Arbitrary code execution via unsanitized `locate` output",
    "id" : "2441124",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2441124"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-78",
  "details" : [ "systeminformation is a System and OS information library for node.js. Versions prior to 5.31.0 are vulnerable to command injection via unsanitized `locate` output in `versions()`. Version 5.31.0 fixes the issue.", "A flaw was found in systeminformation, a System and OS information library for node.js. This vulnerability allows a local attacker with low privileges to inject and execute arbitrary commands due to unsanitized output from the `locate` command within the `versions()` function. Successful exploitation can lead to high impact on confidentiality, integrity, and availability of the affected system." ],
  "package_state" : [ {
    "product_name" : "Red Hat Developer Hub",
    "fix_state" : "Will not fix",
    "package_name" : "rhdh/rhdh-hub-rhel9",
    "cpe" : "cpe:/a:redhat:rhdh:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-26318\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-26318\nhttps://github.com/sebhildebrandt/systeminformation/commit/b67d3715eec881038ccbaace2f2711419ac3e107\nhttps://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-5vv4-hvf7-2h46" ],
  "name" : "CVE-2026-26318",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}