{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-26833", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-28T01:17:25.554Z", "dateReserved": "2026-02-16T00:00:00.000Z", "datePublished": "2026-03-25T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-25T15:48:33.523Z"}, "descriptions": [{"lang": "en", "value": "thumbler through 1.1.2 allows OS command injection via the input, output, time, or size parameter in the thumbnail() function because user input is concatenated into a shell command string passed to child_process.exec() without proper sanitization or escaping."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/mmahrous/thumbler"}, {"url": "https://www.npmjs.com/package/thumbler"}, {"url": "https://github.com/mmahrous/thumbler/blob/master/lib/thumbler.js"}, {"url": "https://github.com/zebbernCVE/CVE-2026-26833"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-28T01:15:11.452465Z", "id": "CVE-2026-26833", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-28T01:17:25.554Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-26833", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-28T01:15:11.452465Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-28T01:17:19.719Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/mmahrous/thumbler"}, {"url": "https://www.npmjs.com/package/thumbler"}, {"url": "https://github.com/mmahrous/thumbler/blob/master/lib/thumbler.js"}, {"url": "https://github.com/zebbernCVE/CVE-2026-26833"}], "descriptions": [{"lang": "en", "value": "thumbler through 1.1.2 allows OS command injection via the input, output, time, or size parameter in the thumbnail() function because user input is concatenated into a shell command string passed to child_process.exec() without proper sanitization or escaping."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-25T15:48:33.523Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26833", "state": "PUBLISHED", "dateUpdated": "2026-03-28T01:17:25.554Z", "dateReserved": "2026-02-16T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-25T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mmahrous:thumbler:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "030888A9-4BCE-4989-BFAF-19B03EC64507", "versionEndIncluding": "1.1.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "thumbler through 1.1.2 allows OS command injection via the input, output, time, or size parameter in the thumbnail() function because user input is concatenated into a shell command string passed to child_process.exec() without proper sanitization or escaping."}, {"lang": "es", "value": "thumbler hasta la versi\u00f3n 1.1.2 permite la inyecci\u00f3n de comandos del sistema operativo a trav\u00e9s del par\u00e1metro input, output, time o size en la funci\u00f3n thumbnail() porque la entrada del usuario se concatena en una cadena de comando de shell pasada a child_process.exec() sin la sanitizaci\u00f3n o el escape adecuados."}], "id": "CVE-2026-26833", "lastModified": "2026-03-30T13:28:03.093", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T16:16:21.390", "references": [{"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/mmahrous/thumbler"}, {"source": "cve@mitre.org", "tags": ["Not Applicable"], "url": "https://github.com/mmahrous/thumbler/blob/master/lib/thumbler.js"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory", "Exploit"], "url": "https://github.com/zebbernCVE/CVE-2026-26833"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://www.npmjs.com/package/thumbler"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-94"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.1.2]"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "thumbler", "vendor": "mmahrous"}], "analysis": {"en": {"generated_at": "2026-03-30T15:05:41.671262+00:00", "value": {"mitigation_remediation": ["Upgrade thumbler to the latest, fixed release or any version newer than 1.1.2.", "If an upgrade is not immediately possible, validate, escape, or otherwise sanitize all input, output, time, and size arguments before they are concatenated into the shell command.", "Replace the use of child_process.exec with a safer alternative that does not invoke a shell, such as spawning the process without a shell."], "summary": {"action": "Apply patch", "impact": "Remote code execution"}, "threat_synthesis": {"affected_systems": "The flaw affects the npm package thumbler, version\u202f1.1.2 and earlier. Any application or utility that imports thumbler and calls thumbnail()\u2014for example web services or command\u2011line tools running in a Node.js environment\u2014is at risk.", "description_and_impact": "thumbler, a Node.js library for image processing, has an OS command injection flaw in its thumbnail() function. User\u2011supplied values for the input, output, time, or size parameters are concatenated directly into a shell command that is executed with child_process.exec(). This allows an attacker to inject arbitrary shell commands, giving full control over the operating system on any system where the library runs.", "risk_and_exploitability": "The CVSS score of 9.8 indicates a critical severity. EPSS is below 1\u202f%, implying a relatively low probability of widespread exploitation, and the vulnerability is not listed in CISA\u2019s KEV catalogue. The likely attack vector is the injection of malicious data into the thumbnail() parameters, which could occur through an exposed web endpoint or a command\u2011line script. If such data can reach the library, arbitrary commands would execute with the process\u2019s privileges, potentially compromising the entire host."}}}}, "created": "2026-03-25T20:57:00.341652+00:00", "updated": "2026-03-30T20:58:02.411905+00:00", "vendors": ["mmahrous", "mmahrous$PRODUCT$thumbler"]}