{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-26833", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-25T15:48:33.523Z", "dateReserved": "2026-02-16T00:00:00.000Z", "datePublished": "2026-03-25T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-25T15:48:33.523Z"}, "descriptions": [{"lang": "en", "value": "thumbler through 1.1.2 allows OS command injection via the input, output, time, or size parameter in the thumbnail() function because user input is concatenated into a shell command string passed to child_process.exec() without proper sanitization or escaping."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/mmahrous/thumbler"}, {"url": "https://www.npmjs.com/package/thumbler"}, {"url": "https://github.com/mmahrous/thumbler/blob/master/lib/thumbler.js"}, {"url": "https://github.com/zebbernCVE/CVE-2026-26833"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "thumbler through 1.1.2 allows OS command injection via the input, output, time, or size parameter in the thumbnail() function because user input is concatenated into a shell command string passed to child_process.exec() without proper sanitization or escaping."}], "id": "CVE-2026-26833", "lastModified": "2026-03-26T15:13:15.790", "metrics": {}, "published": "2026-03-25T16:16:21.390", "references": [{"source": "cve@mitre.org", "url": "https://github.com/mmahrous/thumbler"}, {"source": "cve@mitre.org", "url": "https://github.com/mmahrous/thumbler/blob/master/lib/thumbler.js"}, {"source": "cve@mitre.org", "url": "https://github.com/zebbernCVE/CVE-2026-26833"}, {"source": "cve@mitre.org", "url": "https://www.npmjs.com/package/thumbler"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.1.2]"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "thumbler", "vendor": "mmahrous"}], "analysis": {"en": {"generated_at": "2026-03-26T16:38:42.402201+00:00", "value": {"mitigation_remediation": ["Upgrade thumbler to a version newer than 1.1.2"], "summary": {"action": "Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The issue applies to all installations of thumbler version 1.1.2 and earlier. Any Node.js application that imports thumbler and invokes thumbnail() with parameters that originate from external input is potentially vulnerable. The library is distributed through npm and hosted on GitHub, meaning that any project using these sources without updating is at risk.", "description_and_impact": "thumbler, a JavaScript image thumbnail library, has a flaw that permits arbitrary operating\u2011system command execution. The thumbnail() function builds a shell command by concatenating user-supplied values for its input, output, time, or size options and forwards that string to child_process.exec() without sanitizing or escaping it. When an attacker supplies crafted parameter values, they can inject commands that run with the privileges of the Node.js process, leading to loss of confidentiality, integrity, or availability of the host system.", "risk_and_exploitability": "The likelihood of exploitation is very low, with a probability below one percent, and the vulnerability is not listed in the known exploitation catalog. Nonetheless, because it allows full remote code execution, the potential impact is severe. The attack vector is generally an exposed web service or API that forwards user-provided values to thumbnail(); whoever can influence the input, output, time, or size arguments can trigger the injection."}}}}, "created": "2026-03-25T20:57:00.341652+00:00", "title": "Thumbler OS Command Injection via Thumbnail Parameters", "updated": "2026-03-27T09:20:27.507763+00:00", "vendors": ["mmahrous", "mmahrous$PRODUCT$thumbler"], "weaknesses": ["CWE-78"]}