From 2dbd8aecf23300a3ac79af73b8e337169127d984 Mon Sep 17 00:00:00 2001
From: iotux <46082385+iotux@users.noreply.github.com>
Date: Thu, 1 Jan 2026 08:34:47 +0100
Subject: [PATCH] Update server/monitor-types/system-service.js

Co-authored-by: Frank Elsinga <frank@elsinga.de>
---
 server/monitor-types/system-service.js | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/server/monitor-types/system-service.js b/server/monitor-types/system-service.js
index 227fa9438..461a5edaf 100644
--- a/server/monitor-types/system-service.js
+++ b/server/monitor-types/system-service.js
@@ -76,8 +76,12 @@ class SystemServiceMonitorType extends MonitorType {
      */
     async checkWindows(serviceName, heartbeat) {
         return new Promise((resolve, reject) => {
-            // SECURITY: Proper Escaping.
-            const safeServiceName = serviceName.replaceAll("'", "''");
+            // SECURITY: Validate service name to reduce command-injection risk
+            if (!/^[A-Za-z0-9._-]+$/.test(serviceName)) {
+                throw new Error(
+                    "Invalid service name. Only alphanumeric characters and '.', '_', '-' are allowed."
+                );
+            }
 
             const cmd = "powershell";
             const args = [