CVE-2026-26832
OS Command Injection in node-tesseract-ocr recognize() Function
Publication date: 2026-03-25
Last updated on: 2026-03-25
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zapolnoch | node-tesseract-ocr | to 2.2.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include treating all input file paths as untrusted and avoiding building shell command strings by joining command components with spaces.
Instead of using child_process.exec(), use safer alternatives such as child_process.execFile() or child_process.spawn() with explicit arguments to prevent shell injection.
Consider migrating to a maintained wrapper or safely calling the Tesseract OCR engine from custom code that properly sanitizes inputs.
Monitor for updates or patches to the node-tesseract-ocr package that address this vulnerability, as no fixed version was available as of March 24, 2026.
Can you explain this vulnerability to me?
The vulnerability exists in the node-tesseract-ocr npm package, specifically in the recognize() function within src/index.js. This function takes a file path parameter and concatenates it directly into a shell command string that is executed using child_process.exec() without proper sanitization. This lack of input validation allows an attacker to perform OS Command Injection by injecting malicious commands through the file path parameter.
How can this vulnerability impact me? :
Because the vulnerability allows OS Command Injection, an attacker can execute arbitrary operating system commands on the affected system with the privileges of the Node.js process. This can lead to complete system compromise, including unauthorized data access, data modification, deletion, or disruption of service. The CVSS score of 9.8 indicates a critical severity with high impact on confidentiality, integrity, and availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided context and resources do not contain information regarding the impact of CVE-2026-26832 on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your system is running node-tesseract-ocr package version 2.2.1 or earlier, which uses the vulnerable recognize() function in src/index.js that constructs shell commands unsafely.
To detect exploitation attempts, you can monitor for unusual file creation or command execution triggered by the OCR process, such as unexpected files like /tmp/pwned created by injected commands.
A practical detection command example is to check for the presence of suspicious files created by exploitation payloads, for example:
- ls -l /tmp/pwned
Additionally, you can audit your application logs or enable debug mode in node-tesseract-ocr to log executed commands and stderr output to identify injected shell commands.
Since the vulnerability involves command injection via the file path parameter, reviewing the source code or usage of child_process.exec() with unsanitized input in your application can help detect vulnerable code.