{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-26830", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-27T03:58:17.377Z", "dateReserved": "2026-02-16T00:00:00.000Z", "datePublished": "2026-03-25T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-25T15:03:56.633Z"}, "descriptions": [{"lang": "en", "value": "pdf-image (npm package) through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format() to interpolate user-controlled file paths into shell command strings that are executed via child_process.exec()"}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://www.npmjs.com/package/pdf-image"}, {"url": "https://github.com/mooz/node-pdf-image"}, {"url": "https://github.com/zebbernCVE/CVE-2026-26830"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:N/S:U/UI:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T03:57:52.228906Z", "id": "CVE-2026-26830", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T03:58:17.377Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26830", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-27T03:57:52.228906Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T03:58:13.661Z"}}], "cna": {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:N/S:U/UI:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://www.npmjs.com/package/pdf-image"}, {"url": "https://github.com/mooz/node-pdf-image"}, {"url": "https://github.com/zebbernCVE/CVE-2026-26830"}], "descriptions": [{"lang": "en", "value": "pdf-image (npm package) through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format() to interpolate user-controlled file paths into shell command strings that are executed via child_process.exec()"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-25T15:03:56.633Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26830", "state": "PUBLISHED", "dateUpdated": "2026-03-27T03:58:17.377Z", "dateReserved": "2026-02-16T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-25T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "pdf-image (npm package) through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format() to interpolate user-controlled file paths into shell command strings that are executed via child_process.exec()"}, {"lang": "es", "value": "pdf-image (paquete npm) hasta la versi\u00f3n 2.0.0 permite la inyecci\u00f3n de comandos del sistema operativo a trav\u00e9s del par\u00e1metro pdfFilePath. Las funciones constructGetInfoCommand y constructConvertCommandForPage usan util.format() para interpolar rutas de archivo controladas por el usuario en cadenas de comandos de shell que se ejecutan a trav\u00e9s de child_process.exec()."}], "id": "CVE-2026-26830", "lastModified": "2026-03-27T05:16:02.827", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-03-25T15:16:38.620", "references": [{"source": "cve@mitre.org", "url": "https://github.com/mooz/node-pdf-image"}, {"source": "cve@mitre.org", "url": "https://github.com/zebbernCVE/CVE-2026-26830"}, {"source": "cve@mitre.org", "url": "https://www.npmjs.com/package/pdf-image"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.0.0]"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "pdf-image", "vendor": "mooz"}], "analysis": {"en": {"generated_at": "2026-03-27T06:30:42.379475+00:00", "value": {"mitigation_remediation": ["Update the pdf-image package to the latest patched version that eliminates the command construction flaw.", "If an instant update is not possible, verify that all user\u2011supplied pdfFilePath values are strictly validated, allowed only for trusted, whitelisted paths, and that no path components can inject shell syntax.", "Consider removing the pdf-image dependency entirely or replacing it with a library that performs PDF processing without invoking shell commands.", "Maintain vigilance by regularly reviewing the package\u2019s repository and advisories for any new security updates."], "summary": {"action": "Apply Patch", "impact": "OS Command Injection"}, "threat_synthesis": {"affected_systems": "Node.js applications that depend on the pdf-image package, specifically versions released before 2.0.0 on the mooz/node\u2011pdf\u2011image repository. Any deployment that integrates this package for converting or inspecting PDF files is susceptible.", "description_and_impact": "The pdf-image NPM package through version 2.0.0 concatenates untrusted user\u2011supplied file paths into shell command strings via util.format and executes them with child_process.exec. This design flaw permits arbitrary system command execution by an attacker who can control the pdfFilePath parameter, matching CWE\u201194, and can lead to full compromise of the host executing the Node.js process.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 9.8, indicating critical severity, while the EPSS score of less than 1% suggests that, so far, exploitation attempts may be rare or not publicly observed. The vulnerability is not listed in the CISA KEV catalog, implying limited known exploitation. However, the attack path is likely remote: a malicious actor can trigger the flaw by supplying a specially crafted pdfFilePath through a web interface or API that relies on pdf\u2011image. Once triggered, command injection can grant the attacker arbitrary control over the underlying operating system."}}}}, "created": "2026-03-25T20:57:03.259172+00:00", "updated": "2026-03-27T09:20:29.678433+00:00", "vendors": ["mooz", "mooz$PRODUCT$pdf-image"]}