{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-26833", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-25T15:48:33.523Z", "dateReserved": "2026-02-16T00:00:00.000Z", "datePublished": "2026-03-25T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-25T15:48:33.523Z"}, "descriptions": [{"lang": "en", "value": "thumbler through 1.1.2 allows OS command injection via the input, output, time, or size parameter in the thumbnail() function because user input is concatenated into a shell command string passed to child_process.exec() without proper sanitization or escaping."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/mmahrous/thumbler"}, {"url": "https://www.npmjs.com/package/thumbler"}, {"url": "https://github.com/mmahrous/thumbler/blob/master/lib/thumbler.js"}, {"url": "https://github.com/zebbernCVE/CVE-2026-26833"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "thumbler through 1.1.2 allows OS command injection via the input, output, time, or size parameter in the thumbnail() function because user input is concatenated into a shell command string passed to child_process.exec() without proper sanitization or escaping."}], "id": "CVE-2026-26833", "lastModified": "2026-03-26T15:13:15.790", "metrics": {}, "published": "2026-03-25T16:16:21.390", "references": [{"source": "cve@mitre.org", "url": "https://github.com/mmahrous/thumbler"}, {"source": "cve@mitre.org", "url": "https://github.com/mmahrous/thumbler/blob/master/lib/thumbler.js"}, {"source": "cve@mitre.org", "url": "https://github.com/zebbernCVE/CVE-2026-26833"}, {"source": "cve@mitre.org", "url": "https://www.npmjs.com/package/thumbler"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.1.2]"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "thumbler", "vendor": "mmahrous"}], "analysis": {"en": {"generated_at": "2026-03-26T04:00:48.539299+00:00", "value": {"mitigation_remediation": ["Upgrade thumbler to the latest available version that fixes the OS command injection issue.", "Remove or replace any use of thumbnail() where external input for input, output, time, or size could be supplied.", "Implement stringent validation or sanitization of those parameters before they are passed to child_process.exec.", "Limit the exposure of functions that use thumbnail() to authenticated users or internal network only."], "summary": {"action": "Apply Patch", "impact": "Remote OS Command Execution"}, "threat_synthesis": {"affected_systems": "Any deployment of thumbler version 1.1.2 that is included in a Node.js application is affected. Since thumbler is a public npm package, any project that imports this particular version\u2014whether it is a web service, API endpoint, or command\u2011line tool\u2014introduces the risk if the thumbnail() function is called with parameters that can be influenced by external input.", "description_and_impact": "thumbler, a Node.js image\u2011thumbnailing library, contains an OS command injection flaw (CWE\u201177). The vulnerability arises because the thumbnail() function concatenates the user\u2011supplied input, output, time, or size directly into a shell command executed via child_process.exec() without escaping or validation. This allows an attacker to inject arbitrary shell commands, leading to remote execution of code on the host machine, potentially compromising confidentiality, integrity, and availability of the affected system.", "risk_and_exploitability": "Based on the description, if an application exposes these parameters to user input, an attacker can inject arbitrary commands into the shell. The flaw carries a high risk because successful exploitation would allow an attacker to take full control of the host with the privileges of the Node.js process. The vulnerability is not listed in CISA's KEV catalog and EPSS data is unavailable, yet the simplicity of injecting commands suggests that exploitation could be readily executed without complex preparation. Successful exploitation could enable persistence or data exfiltration."}}}}, "created": "2026-03-25T20:57:00.341652+00:00", "updated": "2026-03-26T12:18:39.858830+00:00", "vendors": ["mmahrous", "mmahrous$PRODUCT$thumbler"]}