CVE-2026-26830

CRITICAL

pdf-image through 2.0.0 - Command Injection

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-26830. PoCs published by zebbernCVE.

AI-analyzed exploit summary The repository contains a functional proof-of-concept for CVE-2026-26830, demonstrating an OS command injection vulnerability in the `pdf-image` npm package through version 2.0.0. The exploit leverages shell metacharacters in the `pdfFilePath` argument to execute arbitrary commands via `child_process.exec()`.

Description

pdf-image (npm package) through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format() to interpolate user-controlled file paths into shell command strings that are executed via child_process.exec()

Exploits (2)

nomisec WORKING POC

by zebbernCVE · poc

https://github.com/zebbernCVE/CVE-2026-26830

View Code ZIP pw:eip

The repository contains a functional proof-of-concept for CVE-2026-26830, demonstrating an OS command injection vulnerability in the `pdf-image` npm package through version 2.0.0. The exploit leverages shell metacharacters in the `pdfFilePath` argument to execute arbitrary commands via `child_process.exec()`.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: pdf-image npm package (all versions through 2.0.0)

No auth needed

Prerequisites: Attacker-controlled file path passed to `PDFImage`

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 03, 2026 Full analysis →

nomisec WRITEUP

by zebbernCVE · poc

https://github.com/zebbernCVE/npm-cve-2026-26830-26833

View Code ZIP pw:eip

This repository contains detailed technical writeups for four npm package vulnerabilities (CVE-2026-26830, CVE-2026-26831, CVE-2026-26832, CVE-2026-26833), all involving OS command injection via unsanitized file paths passed to child_process.exec(). Each writeup includes vulnerability details, affected components, proof-of-concept examples, and mitigation advice.

Classification

Writeup 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: pdf-image (≤2.0.0), textract (≤2.5.0), node-tesseract-ocr (≤2.2.1), thumbler (≤1.1.2)

No auth needed

Prerequisites: attacker-controlled file path passed to vulnerable npm package

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 09, 2026 Full analysis →

References (3)

Core 3

Core References

https://www.npmjs.com/package/pdf-image

https://github.com/mooz/node-pdf-image

View Writeup ZIP pw:eip

https://github.com/zebbernCVE/CVE-2026-26830

View Exploit ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.0029

EPSS Percentile 53.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-94

Status published

Products (2)

npm/pdf-image 0npm

pdf-image_project/pdf-image < 2.0.0

Published Mar 25, 2026

Tracked Since Mar 25, 2026