{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-26830", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-27T03:58:17.377Z", "dateReserved": "2026-02-16T00:00:00.000Z", "datePublished": "2026-03-25T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-25T15:03:56.633Z"}, "descriptions": [{"lang": "en", "value": "pdf-image (npm package) through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format() to interpolate user-controlled file paths into shell command strings that are executed via child_process.exec()"}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://www.npmjs.com/package/pdf-image"}, {"url": "https://github.com/mooz/node-pdf-image"}, {"url": "https://github.com/zebbernCVE/CVE-2026-26830"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:N/S:U/UI:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T03:57:52.228906Z", "id": "CVE-2026-26830", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T03:58:17.377Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26830", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-27T03:57:52.228906Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T03:58:13.661Z"}}], "cna": {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:N/S:U/UI:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://www.npmjs.com/package/pdf-image"}, {"url": "https://github.com/mooz/node-pdf-image"}, {"url": "https://github.com/zebbernCVE/CVE-2026-26830"}], "descriptions": [{"lang": "en", "value": "pdf-image (npm package) through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format() to interpolate user-controlled file paths into shell command strings that are executed via child_process.exec()"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-25T15:03:56.633Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26830", "state": "PUBLISHED", "dateUpdated": "2026-03-27T03:58:17.377Z", "dateReserved": "2026-02-16T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-25T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pdf-image_project:pdf-image:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "AD829412-7894-4487-9AD2-D0D6457CCDDF", "versionEndIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "pdf-image (npm package) through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format() to interpolate user-controlled file paths into shell command strings that are executed via child_process.exec()"}, {"lang": "es", "value": "pdf-image (paquete npm) hasta la versi\u00f3n 2.0.0 permite la inyecci\u00f3n de comandos del sistema operativo a trav\u00e9s del par\u00e1metro pdfFilePath. Las funciones constructGetInfoCommand y constructConvertCommandForPage usan util.format() para interpolar rutas de archivo controladas por el usuario en cadenas de comandos de shell que se ejecutan a trav\u00e9s de child_process.exec()."}], "id": "CVE-2026-26830", "lastModified": "2026-04-02T20:13:29.837", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-03-25T15:16:38.620", "references": [{"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/mooz/node-pdf-image"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/zebbernCVE/CVE-2026-26830"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://www.npmjs.com/package/pdf-image"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.0.0]"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "pdf-image", "vendor": "mooz"}], "analysis": {"en": {"generated_at": "2026-04-02T22:45:58.545949+00:00", "value": {"mitigation_remediation": ["Upgrade the pdf-image npm package to any release newer than 2.0.0 that resolves the command injection issue", "If an upgrade is not possible, validate and sanitize the pdfFilePath input to allow only trusted characters and directories before constructing the shell command", "Run the Node.js process with the least privileges required and consider isolating it in a container to contain potential exploitation"], "summary": {"action": "Immediate Patch", "impact": "Remote OS Command Execution"}, "threat_synthesis": {"affected_systems": "All Node.js applications that depend on pdf\u2011image version 2.0.0 or earlier are affected, regardless of operating system or deployment environment. The issue resides entirely in the JavaScript library, so any project that accepts external PDF file paths and uses pdf\u2011image for image extraction is at risk. No vendor or OS is singled out in the CVE data.", "description_and_impact": "The pdf-image npm package contains a flaw where user\u2011controlled pdfFilePath values are directly interpolated into shell command strings via util.format() and executed with child_process.exec. Because the path is not properly validated, an attacker can append arbitrary shell commands, leading to the execution of any command with the privileges of the Node.js process. This vulnerability is classified as CWE\u201194 and can compromise confidentiality, integrity, and availability of the host system.", "risk_and_exploitability": "The CVSS score of 9.8 indicates a high severity. With an EPSS score below 1\u202f% the likelihood of automated exploitation is low, but the possible impact is catastrophic. Based on the description, it is inferred that a remote attacker can trigger the injection by providing a malicious pdfFilePath through web requests, file uploads, or inter\u2011process communication. Once executed, the attacker gains full control of the host with whatever privileges the Node.js process runs under. The vulnerability is not listed in the CISA KEV catalog, but its severity warrants top\u2011priority mitigation."}}}}, "created": "2026-03-25T20:57:03.259172+00:00", "title": "OS Command Injection in pdf\u2011image npm Package", "updated": "2026-04-03T09:39:09.787649+00:00", "vendors": ["mooz", "mooz$PRODUCT$pdf-image"]}