{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-26833", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-25T15:48:33.523Z", "dateReserved": "2026-02-16T00:00:00.000Z", "datePublished": "2026-03-25T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-25T15:48:33.523Z"}, "descriptions": [{"lang": "en", "value": "thumbler through 1.1.2 allows OS command injection via the input, output, time, or size parameter in the thumbnail() function because user input is concatenated into a shell command string passed to child_process.exec() without proper sanitization or escaping."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/mmahrous/thumbler"}, {"url": "https://www.npmjs.com/package/thumbler"}, {"url": "https://github.com/mmahrous/thumbler/blob/master/lib/thumbler.js"}, {"url": "https://github.com/zebbernCVE/CVE-2026-26833"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "thumbler through 1.1.2 allows OS command injection via the input, output, time, or size parameter in the thumbnail() function because user input is concatenated into a shell command string passed to child_process.exec() without proper sanitization or escaping."}], "id": "CVE-2026-26833", "lastModified": "2026-03-25T16:16:21.390", "metrics": {}, "published": "2026-03-25T16:16:21.390", "references": [{"source": "cve@mitre.org", "url": "https://github.com/mmahrous/thumbler"}, {"source": "cve@mitre.org", "url": "https://github.com/mmahrous/thumbler/blob/master/lib/thumbler.js"}, {"source": "cve@mitre.org", "url": "https://github.com/zebbernCVE/CVE-2026-26833"}, {"source": "cve@mitre.org", "url": "https://www.npmjs.com/package/thumbler"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received"}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T19:37:59.105782+00:00", "value": {"mitigation_remediation": ["Upgrade thumbler to the latest version that contains the command injection fix.", "If an upgrade is not possible, remove thumbler from the project or replace it with an alternative image\u2011processing library that does not execute shell commands.", "Validate and sanitize all input, output, time, and size parameters before passing them to child_process.exec(), or change the implementation to use safe APIs.", "Restrict network access to the application so that only trusted users can provide thumbnail parameters."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in the Node.js package thumbler up to and including version 1.1.2. This affects any application that imports and uses thumbler without restricting its parameters.", "description_and_impact": "thumbler versions up to 1.1.2 expose an OS command injection flaw. The thumbnail() function builds a shell command by concatenating user\u2011supplied values for input, output, time, or size into a string that is executed with child_process.exec(). This allows an attacker to inject arbitrary shell commands, leading to remote code execution and full compromise of the host running the application.", "risk_and_exploitability": "The flaw has a high severity score because it provides unrestricted command execution. No EPSS data is available, and it is not listed in CISA\u2019s KEV catalog, but the absence of mitigation means that any environment exposing thumbler to untrusted input is susceptible. Exploitation requires only the ability to supply crafted input parameters to the thumbnail function, so the attack vector is local or remote depending on how the application is exposed."}}}}, "created": "2026-03-25T20:57:00.341652+00:00", "title": "OS Command Injection in thumbler Thumbnail Function", "updated": "2026-03-25T20:57:00.341710+00:00", "vendors": [], "weaknesses": ["CWE-77"]}