CVE-2026-26830

Name of the Vulnerable Software and Affected Versions pdf-image versions through 2.0.0

Description The pdf-image npm package is susceptible to a critical OS command injection issue. The pdfFilePath parameter allows for the injection of arbitrary commands through the constructGetInfoCommand and constructConvertCommandForPage functions. These functions utilize util.format() to incorporate user-supplied file paths into shell commands, which are then executed using child process.exec(). This allows an attacker to execute system commands on the underlying operating system.

Recommendations Versions prior to 2.0.1 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.