Share
## https://sploitus.com/exploit?id=PACKETSTORM:217870
# CVE-2026-26833: OS command injection in thumbler
    
    ## Summary
    
    `thumbler` through version `1.1.2` allows OS command injection in
    `thumbnail()` in `lib/thumbler.js`. The package concatenates the
    `input`, `output`, `time`, and `size` values into a single `ffmpeg`
    command string and executes that string with `child_process.exec()`.
    An attacker who controls one of those values can inject shell syntax
    and run arbitrary commands.
    
    ## Affected product
    
    | Product | Affected versions | Fixed version |
    | --- | --- | --- |
    | thumbler | all versions through 1.1.2 | no fix available as of 2026-03-24 |
    
    ## Vulnerability details
    
    - CVE ID: `CVE-2026-26833`
    - CWE: `CWE-78` - OS Command Injection
    - CVSS 3.1: `9.8` (`Critical`)
    - Vector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
    - Affected component: `lib/thumbler.js`, `thumbnail()`
    
    The vulnerable code path constructs the following shell string:
    
    ```js
    exec(
      'ffmpeg -ss ' + time + ' -i "' + input + '" -vframes 1 -s ' +
      size + ' "' + output + '"',
      ...
    );
    ```
    
    Because the command is assembled as a string, each attacker-controlled
    field is a possible injection point.
    
    ## Technical impact
    
    Any service that generates thumbnails from user-controlled media can
    end up executing commands on the host while calling `thumbnail()`.
    
    ## Proof of concept
    
    ```js
    require("thumbler").thumbnail(
      'test.mp4"; id > /tmp/pwned; echo "',
      "/tmp/out.jpg",
      {},
      () => {}
    );
    ```
    
    ## Mitigation
    
    No fixed npm release is available at the time of writing.
    
    If you still depend on this package:
    
    1. Do not pass untrusted data into `thumbnail()`.
    2. Replace shell-string concatenation with argument-safe process
       execution.
    3. Move to a maintained thumbnail generation library or a fixed fork.
    
    ## References
    
    - https://www.npmjs.com/package/thumbler
    - https://github.com/mmahrous/thumbler
    - https://github.com/mmahrous/thumbler/blob/master/lib/thumbler.js