CVE-2026-26833

Name of the Vulnerable Software and Affected Versions thumbler versions prior to 1.1.3

Description The software contains a flaw that allows for the injection of operating system commands. This occurs through the input, output, time, or size parameters within the thumbnail() function. The issue arises because user-supplied input is directly incorporated into a shell command string passed to child process.exec() without adequate sanitization or escaping. This lack of proper handling enables an attacker to execute arbitrary commands on the system.

Recommendations Update thumbler to version 1.1.3 or later.