zebbernCVE

8 exploits Active since Mar 2026
CVE-2026-26833 GITHUB CRITICAL WRITEUP
thumbler <=1.1.2 - Command Injection
thumbler through 1.1.2 allows OS command injection via the input, output, time, or size parameter in the thumbnail() function because user input is concatenated into a shell command string passed to child_process.exec() without proper sanitization or escaping.
1 stars
CVSS 9.8
CVE-2026-26833 NOMISEC CRITICAL WRITEUP
thumbler <=1.1.2 - Command Injection
thumbler through 1.1.2 allows OS command injection via the input, output, time, or size parameter in the thumbnail() function because user input is concatenated into a shell command string passed to child_process.exec() without proper sanitization or escaping.
CVSS 9.8
CVE-2026-26830 NOMISEC CRITICAL WORKING POC
pdf-image through 2.0.0 - Command Injection
pdf-image (npm package) through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format() to interpolate user-controlled file paths into shell command strings that are executed via child_process.exec()
CVSS 9.8
CVE-2026-26831 NOMISEC CRITICAL WRITEUP
textract through 2.5.0 - Command Injection
textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to child_process.exec() in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequate sanitization
CVSS 9.8
CVE-2026-26832 NOMISEC CRITICAL WRITEUP
node-tesseract-ocr through 2.2.1 - Command Injection
node-tesseract-ocr is an npm package that provides a Node.js wrapper for Tesseract OCR. In all versions through 2.2.1, the recognize() function in src/index.js is vulnerable to OS Command Injection. The file path parameter is concatenated into a shell command string and passed to child_process.exec() without proper sanitization
CVSS 9.8
CVE-2026-39983 NOMISEC HIGH WRITEUP
FTP Command Injection via CRLF in basic-ftp
basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences (\r\n) in file path parameters passed to high-level path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The library's protectWhitespace() helper only handles leading spaces and returns other paths unchanged, while FtpContext.send() writes the resulting command string directly to the control socket with \r\n appended. This lets attacker-controlled path strings split one intended FTP command into multiple commands. This vulnerability is fixed in 5.2.1.
CVSS 8.6
CVE-2026-39371 NOMISEC HIGH STUB
RedwoodSDK has a CSRF vulnerability in server function dispatch via GET requests
RedwoodSDK is a server-first React framework. From 1.0.0-beta.50 to 1.0.5, erver functions exported from "use server" files could be invoked via GET requests, bypassing their intended HTTP method. In cookie-authenticated applications, this allowed cross-site GET navigations to trigger state-changing functions, because browsers send SameSite=Lax cookies on top-level GET requests. This affected all server functions -- both serverAction() handlers and bare exported functions in "use server" files. This vulnerability is fixed in 1.0.6.
CVSS 8.1
CVE-2026-26830 NOMISEC CRITICAL WRITEUP
pdf-image through 2.0.0 - Command Injection
pdf-image (npm package) through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format() to interpolate user-controlled file paths into shell command strings that are executed via child_process.exec()
CVSS 9.8