Share
## https://sploitus.com/exploit?id=PACKETSTORM:217869
# CVE-2026-26830: OS command injection in pdf-image
    
    ## Summary
    
    `pdf-image` through version `2.0.0` allows OS command injection via
    the `pdfFilePath` argument. The package builds shell command strings
    with `util.format()` and executes them with `child_process.exec()`.
    If an application passes an attacker-controlled file path into
    `PDFImage`, shell metacharacters in that path can lead to arbitrary
    command execution.
    
    ## Affected product
    
    | Product | Affected versions | Fixed version |
    | --- | --- | --- |
    | pdf-image | all versions through 2.0.0 | no fix available as of 2026-03-24 |
    
    ## Vulnerability details
    
    - CVE ID: `CVE-2026-26830`
    - CWE: `CWE-78` - OS Command Injection
    - CVSS 3.1: `9.8` (`Critical`)
    - Vector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
    - Affected component: `index.js`
    
    The vulnerable code path reaches `constructGetInfoCommand()` and
    `constructConvertCommandForPage()`, both of which interpolate the PDF
    path into a shell command before calling `child_process.exec()`.
    
    ## Technical impact
    
    Any application that accepts a user-controlled PDF path and passes it
    to `pdf-image` can end up executing attacker-supplied shell commands
    on the host system.
    
    ## Proof of concept
    
    ```js
    const { PDFImage } = require("pdf-image");
    
    const pdfImage = new PDFImage('test.pdf"; touch /tmp/pwned; echo "');
    pdfImage.getInfo();
    ```
    
    If the injected command runs, the process creates `/tmp/pwned`.
    
    ## Mitigation
    
    No fixed npm release is available at the time of writing.
    
    If you still depend on this package:
    
    1. Stop passing untrusted file paths into `PDFImage`.
    2. Replace shell-string construction with argument-safe process
       execution such as `execFile()` or `spawn()` with an array.
    3. Prefer a maintained alternative or a private fork with a fix.
    
    ## References
    
    - https://www.npmjs.com/package/pdf-image
    - https://github.com/mooz/node-pdf-image
    - https://github.com/mooz/node-pdf-image/blob/master/index.js