{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-26832", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-25T17:52:56.510Z", "dateReserved": "2026-02-16T00:00:00.000Z", "datePublished": "2026-03-25T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-25T15:43:13.630Z"}, "descriptions": [{"lang": "en", "value": "node-tesseract-ocr is an npm package that provides a Node.js wrapper for Tesseract OCR. In all versions through 2.2.1, the recognize() function in src/index.js is vulnerable to OS Command Injection. The file path parameter is concatenated into a shell command string and passed to child_process.exec() without proper sanitization"}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://www.npmjs.com/package/node-tesseract-ocr"}, {"url": "https://github.com/zapolnoch/node-tesseract-ocr"}, {"url": "https://github.com/zapolnoch/node-tesseract-ocr/blob/master/src/index.js"}, {"url": "https://github.com/zebbernCVE/CVE-2026-26832"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:N/S:U/UI:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-78", "lang": "en", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T17:52:34.791573Z", "id": "CVE-2026-26832", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T17:52:56.510Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26832", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T17:52:34.791573Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T17:52:52.211Z"}}], "cna": {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:N/S:U/UI:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://www.npmjs.com/package/node-tesseract-ocr"}, {"url": "https://github.com/zapolnoch/node-tesseract-ocr"}, {"url": "https://github.com/zapolnoch/node-tesseract-ocr/blob/master/src/index.js"}, {"url": "https://github.com/zebbernCVE/CVE-2026-26832"}], "descriptions": [{"lang": "en", "value": "node-tesseract-ocr is an npm package that provides a Node.js wrapper for Tesseract OCR. In all versions through 2.2.1, the recognize() function in src/index.js is vulnerable to OS Command Injection. The file path parameter is concatenated into a shell command string and passed to child_process.exec() without proper sanitization"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-25T15:43:13.630Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26832", "state": "PUBLISHED", "dateUpdated": "2026-03-25T17:52:56.510Z", "dateReserved": "2026-02-16T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-25T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "node-tesseract-ocr is an npm package that provides a Node.js wrapper for Tesseract OCR. In all versions through 2.2.1, the recognize() function in src/index.js is vulnerable to OS Command Injection. The file path parameter is concatenated into a shell command string and passed to child_process.exec() without proper sanitization"}], "id": "CVE-2026-26832", "lastModified": "2026-03-25T18:16:30.133", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-03-25T16:16:21.240", "references": [{"source": "cve@mitre.org", "url": "https://github.com/zapolnoch/node-tesseract-ocr"}, {"source": "cve@mitre.org", "url": "https://github.com/zapolnoch/node-tesseract-ocr/blob/master/src/index.js"}, {"source": "cve@mitre.org", "url": "https://github.com/zebbernCVE/CVE-2026-26832"}, {"source": "cve@mitre.org", "url": "https://www.npmjs.com/package/node-tesseract-ocr"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T20:12:08.049202+00:00", "value": {"mitigation_remediation": ["Upgrade node\u2011tesseract\u2011ocr to the latest release that removes the unsanitized exec usage (any version newer than 2.2.1).", "If an upgrade is not feasible, validate and sanitize the file path argument before invoking recognize() to eliminate shell metacharacter influence.", "Consider restricting the file path to a predefined safe directory or removing/disabling the recognize() function from public code paths.", "Review server logs for abnormal child_process execution and apply monitoring to detect potential exploitation."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All releases of node\u2011tesseract\u2011ocr up to and including version 2.2.1 contain the vulnerable code. Any Node.js application that imports this package and calls recognize()\u2014for example, web services or scripts that process user\u2011supplied image files\u2014is affected. The issue resides in the src/index.js file of the package.", "description_and_impact": "Unvalidated file paths supplied to the recognize() function in the node-tesseract-ocr npm package are concatenated into a shell command string and passed to child_process.exec() without sanitization, creating an OS Command Injection flaw (CWE\u201178). An attacker who can influence the file path argument could inject arbitrary shell commands, potentially gaining full control over the host running the Node.js application.", "risk_and_exploitability": "The CVSS score of 9.8 marks this vulnerability as critical. The attack vector is inferred to be user\u2011controlled input via the file path parameter; any interface that accepts a file path, such as a web API or CLI, provides a potential exploitation path. Although EPSS data is not available and the vulnerability is not yet listed in the CISA KEV catalog, the straightforward exploitability and severe impact suggest a high likelihood of real\u2011world exploitation."}}}}, "created": "2026-03-25T20:57:01.279692+00:00", "title": "node\u2011tesseract\u2011ocr OS Command Injection via Unsanitized File Path", "updated": "2026-03-25T20:57:01.279745+00:00", "vendors": []}