CVE-2026-26830: pdf-image (npm package) through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGe

Description

pdf-image (npm package) through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format() to interpolate user-controlled file paths into shell command strings that are executed via child_process.exec()

Affected Products

Vendor	Product	Versions
n/a	n/a	n/a

References

https://www.npmjs.com/package/pdf-image
https://github.com/mooz/node-pdf-image
https://github.com/zebbernCVE/CVE-2026-26830

CVSS 3.19.8 CRITICAL

VectorCVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:N/S:U/UI:N

CISA KEV❌ No

Actively exploited❌ No

Published3/25/2026

Last enriched11h ago

Trending Score0

Source articles0

Independent0

Info Completeness4/14

Missing: vendor, product, versions, epss, cwe, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Pin to Dashboard

Verification

State: verified

Confidence: 100%