CVE-2026-26830

CRITICAL

pdf-image through 2.0.0 - Command Injection

Title source: llm

Description

pdf-image (npm package) through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format() to interpolate user-controlled file paths into shell command strings that are executed via child_process.exec()

Exploits (1)

nomisec WRITEUP

by zebbernCVE · poc

https://github.com/zebbernCVE/npm-cve-2026-26830-26833

View Code ZIP pw:eip

References (3)

https://www.npmjs.com/package/pdf-image

https://github.com/mooz/node-pdf-image

View Writeup ZIP pw:eip

https://github.com/zebbernCVE/CVE-2026-26830

View Exploit ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.0079

EPSS Percentile 73.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-94

Status published

Products (2)

npm/pdf-image 0npm

pdf-image_project/pdf-image < 2.0.0

Published Mar 25, 2026

Tracked Since Mar 25, 2026