{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-26830", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-25T15:03:56.633Z", "dateReserved": "2026-02-16T00:00:00.000Z", "datePublished": "2026-03-25T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-25T15:03:56.633Z"}, "descriptions": [{"lang": "en", "value": "pdf-image (npm package) through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format() to interpolate user-controlled file paths into shell command strings that are executed via child_process.exec()"}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://www.npmjs.com/package/pdf-image"}, {"url": "https://github.com/mooz/node-pdf-image"}, {"url": "https://github.com/zebbernCVE/CVE-2026-26830"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:N/S:U/UI:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "pdf-image (npm package) through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format() to interpolate user-controlled file paths into shell command strings that are executed via child_process.exec()"}], "id": "CVE-2026-26830", "lastModified": "2026-03-25T15:41:33.977", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-03-25T15:16:38.620", "references": [{"source": "cve@mitre.org", "url": "https://github.com/mooz/node-pdf-image"}, {"source": "cve@mitre.org", "url": "https://github.com/zebbernCVE/CVE-2026-26830"}, {"source": "cve@mitre.org", "url": "https://www.npmjs.com/package/pdf-image"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.0.0]"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "pdf-image", "vendor": "mooz"}], "analysis": {"en": {"generated_at": "2026-03-26T04:39:28.096897+00:00", "value": {"mitigation_remediation": ["Update the pdf-image package to version higher than 2.0.0 if a patch is available.", "Validate or sanitize any value assigned to pdfFilePath before it is passed to pdf\u2011image, ensuring it cannot contain unexpected shell characters.", "Run the Node.js application with the least privilege necessary to limit the impact of any potential exploitation."], "summary": {"action": "Immediate Patch", "impact": "Remote Command Execution"}, "threat_synthesis": {"affected_systems": "Any Node.js application that includes pdf\u2011image version 2.0.0 or earlier is affected. Projects that depend on pdf\u2011image, either directly or indirectly, inherit this flaw. Identifying dependencies that reference pdf\u2011image in their package.json will reveal the impacted installations.", "description_and_impact": "pdf-image, a widely used Node.js package, contains an OS command injection flaw in its pdfFilePath handling. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format() to embed a user\u2011controlled file path into a shell command that is executed via child_process.exec(). This design allows the execution of arbitrary commands with the privileges of the running Node.js process, a classic command injection vulnerability classified under CWE\u201178.", "risk_and_exploitability": "The flaw carries a CVSS score of 9.8, indicating critical severity. Epistemically inferred, the attack vector is likely local or remote via malicious input supplied through the pdfFilePath parameter to an application that exposes this interface. The lack of mitigation guidance and the straightforward nature of the input handling suggest a high likelihood of exploitation. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, nor is an EPSS score available, yet the risk remains high due to the ability to execute arbitrary commands with the privileges of the running process."}}}}, "created": "2026-03-25T20:57:03.259172+00:00", "updated": "2026-03-26T12:18:41.692046+00:00", "vendors": ["mooz", "mooz$PRODUCT$pdf-image"]}