CVE-2026-26832
Analyzed Analyzed - Analysis Complete
OS Command Injection in node-tesseract-ocr recognize() Function

Publication date: 2026-03-25

Last updated on: 2026-06-05

Assigner: MITRE

Description
node-tesseract-ocr is an npm package that provides a Node.js wrapper for Tesseract OCR. In all versions through 2.2.1, the recognize() function in src/index.js is vulnerable to OS Command Injection. The file path parameter is concatenated into a shell command string and passed to child_process.exec() without proper sanitization
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-06-05
Generated
2026-06-16
AI Q&A
2026-03-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-26832
EUVD
EUVD-2026-15461
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
zapolnoch tesseract_ocr to 2.2.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the node-tesseract-ocr npm package, specifically in the recognize() function within src/index.js. This function takes a file path parameter and concatenates it directly into a shell command string that is executed using child_process.exec() without proper sanitization. This lack of input validation allows an attacker to perform OS Command Injection by injecting malicious commands through the file path parameter.

Compliance Impact

The provided context and resources do not contain information regarding the impact of CVE-2026-26832 on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability can be detected by checking if your system is running node-tesseract-ocr package version 2.2.1 or earlier, which uses the vulnerable recognize() function in src/index.js that constructs shell commands unsafely.

To detect exploitation attempts, you can monitor for unusual file creation or command execution triggered by the OCR process, such as unexpected files like /tmp/pwned created by injected commands.

A practical detection command example is to check for the presence of suspicious files created by exploitation payloads, for example:

  • ls -l /tmp/pwned

Additionally, you can audit your application logs or enable debug mode in node-tesseract-ocr to log executed commands and stderr output to identify injected shell commands.

Since the vulnerability involves command injection via the file path parameter, reviewing the source code or usage of child_process.exec() with unsanitized input in your application can help detect vulnerable code.

Mitigation Strategies

Immediate mitigation steps include treating all input file paths as untrusted and avoiding building shell command strings by joining command components with spaces.

Instead of using child_process.exec(), use safer alternatives such as child_process.execFile() or child_process.spawn() with explicit arguments to prevent shell injection.

Consider migrating to a maintained wrapper or safely calling the Tesseract OCR engine from custom code that properly sanitizes inputs.

Monitor for updates or patches to the node-tesseract-ocr package that address this vulnerability, as no fixed version was available as of March 24, 2026.

Impact Analysis

Because the vulnerability allows OS Command Injection, an attacker can execute arbitrary operating system commands on the affected system with the privileges of the Node.js process. This can lead to complete system compromise, including unauthorized data access, data modification, deletion, or disruption of service. The CVSS score of 9.8 indicates a critical severity with high impact on confidentiality, integrity, and availability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26832. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart