Description
thumbler through 1.1.2 allows OS command injection via the input, output, time, or size parameter in the thumbnail() function because user input is concatenated into a shell command string passed to child_process.exec() without proper sanitization or escaping.
Published: 2026-03-25
Score: 9.8 Critical
EPSS: 2.3% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

thumbler, a Node.js library that produces image thumbnails, has an OS command injection flaw in its thumbnail() function. The library concatenates user-controlled parameters such as input, output, time, or size directly into a shell command string that is executed via child_process.exec() without any sanitization or escaping. This results in a classic OS Command Injection vulnerability (CWE‑78) and also allows JavaScript code injection (CWE‑94). An attacker who can influence these API arguments can execute arbitrary shell commands on the host system with the privileges of the Node.js process, compromising confidentiality, integrity, and availability.

Affected Systems

Vulnerable releases of thumbler up to version 1.1.2 are affected. The npm package thumbler is maintained by the user mmahrous and distributed under the npm registry. Any Node.js application that imports thumbler and calls the thumbnail() API with unsanitized arguments is at risk. External codebases that embed this library, regardless of the surrounding application, may be impacted if they expose user input to the thumbnail() parameters.

Risk and Exploitability

The CVSS base score of 9.8 classifies this vulnerability as Critical, and the EPSS score of 2 % indicates that exploitation is reasonably likely in the wild. Although it has not yet been listed in CISA’s KEV catalog, the high severity and the ease of triggering via exposed APIs suggest a strong attack surface. An attacker can trigger the flaw simply by supplying crafted values to the thumbnail() function, leading to remote code execution with the privileges of the Node.js process.

Generated by OpenCVE AI on June 18, 2026 at 09:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade thumbler to a fixed release (any version newer than 1.1.2) or replace the library with an alternative that properly sanitizes input.
  • If an upgrade cannot be performed immediately, validate, escape, or otherwise sanitize all input, output, time and size arguments before they are concatenated into the shell command.
  • Replace the use of child_process.exec with a safer API such as child_process.spawn with the shell option disabled, or otherwise ensure that user input is not interpreted by a shell.

Generated by OpenCVE AI on June 18, 2026 at 09:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mvhf-547c-h55r thumbler allows OS Command Injection
History

Wed, 17 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Title OS Command Injection in thumbler via Unsanitized Parameters

Tue, 16 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Title OS Command Injection in thumbler via Unsanitized Parameters

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Title OS Command Injection in thumbler Library

Mon, 30 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-78
CPEs cpe:2.3:a:mmahrous:thumbler:*:*:*:*:*:node.js:*:*

Sun, 29 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Title OS Command Injection in thumbler Library

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Title Thumbler OS Command Injection via Thumbnail Parameters
Weaknesses CWE-78

Fri, 27 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Title Thumbler OS Command Injection via Thumbnail Parameters
Weaknesses CWE-78

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Title OS Command Injection in thumbler Thumbnail Function
Weaknesses CWE-77

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Mmahrous
Mmahrous thumbler
Vendors & Products Mmahrous
Mmahrous thumbler

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Title OS Command Injection in thumbler Thumbnail Function
Weaknesses CWE-77

Wed, 25 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Description thumbler through 1.1.2 allows OS command injection via the input, output, time, or size parameter in the thumbnail() function because user input is concatenated into a shell command string passed to child_process.exec() without proper sanitization or escaping.
References

Subscriptions

Mmahrous Thumbler
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-28T01:17:25.554Z

Reserved: 2026-02-16T00:00:00.000Z

Link: CVE-2026-26833

cve-icon Vulnrichment

Updated: 2026-03-28T01:17:19.719Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T16:16:21.390

Modified: 2026-06-17T10:26:21.793

Link: CVE-2026-26833

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T10:00:16Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

  • CWE-94

    Improper Control of Generation of Code ('Code Injection')