Skip to main content

CVE-2026-26833

| EUVDEUVD-2026-15463 CRITICAL
Code Injection (CWE-94)
2026-03-25 mitre GHSA-mvhf-547c-h55r
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 25, 2026 - 16:16 euvd
EUVD-2026-15463
Analysis Generated
Mar 25, 2026 - 16:16 vuln.today
CVE Published
Mar 25, 2026 - 00:00 nvd
CRITICAL 9.8

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 2 npm packages depend on thumbler (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 1.1.2.

DescriptionCVE.org

thumbler through 1.1.2 allows OS command injection via the input, output, time, or size parameter in the thumbnail() function because user input is concatenated into a shell command string passed to child_process.exec() without proper sanitization or escaping.

AnalysisAI

Thumbler through version 1.1.2 contains an OS command injection vulnerability in the thumbnail() function where user-supplied input from the input, output, time, or size parameters is directly concatenated into shell commands executed via Node.js child_process.exec() without sanitization or escaping. This allows unauthenticated attackers to execute arbitrary operating system commands with the privileges of the application process. A proof-of-concept has been documented in public repositories, making this vulnerability immediately actionable for exploitation.

Technical ContextAI

Thumbler is a Node.js image thumbnail generation library distributed via npm (https://www.npmjs.com/package/thumbler). The vulnerability exists in the core thumbnail() function located in lib/thumbler.js, where user-controlled parameters are passed directly to child_process.exec(), a synchronous command execution method that invokes a shell to parse and execute the command string. This is a classic command injection vulnerability (CWE-78: Improper Neutralization of Special Elements used in an OS Command) where metacharacters like backticks, semicolons, pipes, and command substitution syntax ($()) are not filtered or escaped before shell execution. The affected CPE is cpe:2.3:a:n/a:n/a:*:*:*:*:*:*:*:* based on available metadata, though the package is clearly identified as 'thumbler' on npm. Any application using thumbler to generate thumbnails from user-supplied image paths, dimensions, or metadata is vulnerable if that input reaches the affected parameters.

RemediationAI

Immediately upgrade thumbler to a version newer than 1.1.2 by updating package.json and running npm update thumbler. Contact the thumbler maintainers (mmahrous) at https://github.com/mmahrous/thumbler to obtain or confirm the availability of a patched release that properly sanitizes or escapes all user-supplied parameters before passing them to child_process.exec(). As an interim mitigation, if upgrading is not immediately possible, refactor code to avoid passing user-controlled input directly to the thumbnail() function, or implement strict input validation that whitelists only alphanumeric characters and safe file path components. Consider replacing thumbler with an alternative image processing library that uses programmatic APIs (such as Sharp or ImageMagick bindings) instead of shell command concatenation. Additionally, run the application with minimal process privileges and use containerization with restricted filesystem and capability settings to limit blast radius if exploitation occurs.

Share

CVE-2026-26833 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy