CVE-2026-26833

UNKNOWN NVD

CVSS Score 0

Severity UNKNOWN

Published Mar 25, 2026

Vendor unknown

Description

thumbler through 1.1.2 allows OS command injection via the input, output, time, or size parameter in the thumbnail() function because user input is concatenated into a shell command string passed to child_process.exec() without proper sanitization or escaping.

References

https://github.com/mmahrous/thumbler
https://github.com/mmahrous/thumbler/blob/master/lib/thumbler.js
https://github.com/zebbernCVE/CVE-2026-26833
https://www.npmjs.com/package/thumbler