Description
thumbler through 1.1.2 allows OS command injection via the input, output, time, or size parameter in the thumbnail() function because user input is concatenated into a shell command string passed to child_process.exec() without proper sanitization or escaping.
Published: 2026-03-25
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution
Action: Apply patch
AI Analysis

Impact

thumbler, a Node.js library for image processing, has an OS command injection flaw in its thumbnail() function. User‑supplied values for the input, output, time, or size parameters are concatenated directly into a shell command that is executed with child_process.exec(). This allows an attacker to inject arbitrary shell commands, giving full control over the operating system on any system where the library runs.

Affected Systems

The flaw affects the npm package thumbler, version 1.1.2 and earlier. Any application or utility that imports thumbler and calls thumbnail()—for example web services or command‑line tools running in a Node.js environment—is at risk.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical severity. EPSS is below 1 %, implying a relatively low probability of widespread exploitation, and the vulnerability is not listed in CISA’s KEV catalogue. The likely attack vector is the injection of malicious data into the thumbnail() parameters, which could occur through an exposed web endpoint or a command‑line script. If such data can reach the library, arbitrary commands would execute with the process’s privileges, potentially compromising the entire host.

Generated by OpenCVE AI on March 30, 2026 at 15:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade thumbler to the latest, fixed release or any version newer than 1.1.2.
  • If an upgrade is not immediately possible, validate, escape, or otherwise sanitize all input, output, time, and size arguments before they are concatenated into the shell command.
  • Replace the use of child_process.exec with a safer alternative that does not invoke a shell, such as spawning the process without a shell.

Generated by OpenCVE AI on March 30, 2026 at 15:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mvhf-547c-h55r thumbler allows OS Command Injection
History

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Title OS Command Injection in thumbler Library

Mon, 30 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-78
CPEs cpe:2.3:a:mmahrous:thumbler:*:*:*:*:*:node.js:*:*

Sun, 29 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Title OS Command Injection in thumbler Library

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Title Thumbler OS Command Injection via Thumbnail Parameters
Weaknesses CWE-78

Fri, 27 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Title Thumbler OS Command Injection via Thumbnail Parameters
Weaknesses CWE-78

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Title OS Command Injection in thumbler Thumbnail Function
Weaknesses CWE-77

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Mmahrous
Mmahrous thumbler
Vendors & Products Mmahrous
Mmahrous thumbler

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Title OS Command Injection in thumbler Thumbnail Function
Weaknesses CWE-77

Wed, 25 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Description thumbler through 1.1.2 allows OS command injection via the input, output, time, or size parameter in the thumbnail() function because user input is concatenated into a shell command string passed to child_process.exec() without proper sanitization or escaping.
References

Subscriptions

Mmahrous Thumbler
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-28T01:17:25.554Z

Reserved: 2026-02-16T00:00:00.000Z

Link: CVE-2026-26833

cve-icon Vulnrichment

Updated: 2026-03-28T01:17:19.719Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T16:16:21.390

Modified: 2026-03-30T13:28:03.093

Link: CVE-2026-26833

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:58:02Z

Weaknesses