CVE-2026-26830

Published: Mar 25, 2026Modified: Apr 2, 2026

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: MITRE (Secondary)

Description

pdf-image (npm package) through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format() to interpolate user-controlled file paths into shell command strings that are executed via child_process.exec()

Affected (1)

Products: Pdf Image Project: Pdf Image

Pdf Image Project

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Pdf Image Project Pdf Image	Up to 2.0.0

Related CWEs

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (3)

https://github.com/mooz/node-pdf-image

Source: cve@mitre.org

Product

https://github.com/zebbernCVE/CVE-2026-26830

Source: cve@mitre.org

ExploitThird Party Advisory

https://www.npmjs.com/package/pdf-image

Source: cve@mitre.org

Product

Timeline

No history available yet.