CVE-2026-26830

Published
View on NVD ↗
CVSS v3
9.8
CRITICAL
CVSS v2
N/A
Affected
3
PROJECTS

Description

pdf-image (npm package) through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format() to interpolate user-controlled file paths into shell command strings that are executed via child_process.exec()

mooz/node-pdf-image
mooz/node-pdf-image
Provides an interface to convert PDF's pages to png files in Node.js by using ImageMagick
GitHubGitHub
236
zebbernCVE/CVE-2026-26830
zebbernCVE/CVE-2026-26830
Advisory for pdf-image ⌯⌲ 10 000 weekly downloads
GitHubGitHub
pdf-image
pdf-image
Provides an interface to convert PDF's pages to png files in Node.js by using ImageMagick.
NPMNPM