CVE-2026-26830
OS Command Injection in pdf-image npm via pdfFilePath Parameter
Publication date: 2026-03-25
Last updated on: 2026-04-02
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pdf-image_project | pdf-image | to 2.0.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-26830 is a critical OS command injection vulnerability in the npm package pdf-image, versions up to 2.0.0. The vulnerability occurs because the package uses util.format() to insert user-controlled PDF file paths directly into shell command strings, which are then executed via child_process.exec().
Specifically, the functions constructGetInfoCommand() and constructConvertCommandForPage() interpolate the pdfFilePath parameter into shell commands without sanitization, allowing an attacker to inject arbitrary shell commands.
If an attacker controls the PDF file path input, they can execute arbitrary commands on the host system with the privileges of the running process, potentially compromising the system.
How can this vulnerability impact me? :
This vulnerability can have severe impacts because it allows remote attackers to execute arbitrary OS commands on the host system without any privileges or user interaction.
- An attacker can gain full control over the affected system, leading to data theft, data modification, or destruction.
- It can compromise confidentiality, integrity, and availability of the system and its data.
- The CVSS score of 9.8 (Critical) reflects the high severity and ease of exploitation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing whether the pdf-image package is executing OS commands with user-controlled input in the pdfFilePath parameter. A practical detection method is to attempt injecting shell commands via the pdfFilePath argument and observe if arbitrary commands are executed.
For example, a proof-of-concept involves passing a malicious PDF path containing shell commands such as: 'test.pdf"; touch /tmp/pwned; echo "'. If the file /tmp/pwned is created on the system, it confirms command injection.
To detect this on your system, you can run a test script or command that uses pdf-image with a crafted pdfFilePath containing shell metacharacters and then check for side effects like the creation of unexpected files.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding passing untrusted or user-controlled file paths to the pdf-image package.
Replace the vulnerable shell command string construction using util.format() and child_process.exec() with safer alternatives such as child_process.execFile() or spawn(), which accept argument arrays and prevent shell injection.
Consider using maintained alternative packages or a private fork of pdf-image with the vulnerability patched, since as of the last update no fixed version has been released.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to execute arbitrary OS commands on the host system with the privileges of the running process, potentially leading to unauthorized access, data modification, or service disruption.
Such unauthorized access and control can compromise the confidentiality, integrity, and availability of sensitive data, which are core requirements in compliance standards like GDPR and HIPAA.
Therefore, exploitation of this vulnerability could result in violations of these regulations due to potential data breaches, unauthorized data manipulation, or service outages.