CVE-2026-26832

Name of the Vulnerable Software and Affected Versions node-tesseract-ocr versions through 2.2.1

Description The recognize() function in src/index.js is susceptible to OS Command Injection due to insufficient input sanitization. Specifically, the file path parameter is incorporated into a shell command string and executed using child process.exec() without adequate validation. This allows for potential remote code execution.

Recommendations Versions prior to 2.2.1 are affected.