Overview

A critical OS Command Injection vulnerability (CVE-2026-26832) has been identified in the node-tesseract-ocr npm package. Published on March 25, 2026, with a CVSS score of 9.8, this flaw allows an unauthenticated, remote attacker to execute arbitrary operating system commands on the host system running the affected Node.js application.

Description

CVE-2026-26832 is a critical OS Command Injection vulnerability (CVSS score 9.8) in the node-tesseract-ocr npm package, which provides a Node.js wrapper for Tesseract OCR. The root cause lies within the recognize() function located in src/index.js. This function accepts a file path parameter and concatenates it directly into a shell command string without sanitization. This unsanitized string is then passed to child_process.exec() for execution. An attacker who controls the file path parameter can inject arbitrary shell commands. This is a classic command injection scenario where the absence of proper input validation allows malicious OS commands to be embedded and executed on the host system.

Impact

Successful exploitation of this vulnerability allows a remote unauthenticated attacker to execute arbitrary operating system commands on the host system, potentially resulting in full system compromise, unauthorized data access, or installation of malicious software.

Solution

No patch details are available at time of writing. Users are advised to validate and sanitize all file path inputs before passing them to the node-tesseract-ocr package. Avoid using the package with untrusted user-supplied input, and monitor official package channels for security updates.

References

• 1. https://www.thehackerwire.com/critical-os-command-injection-in-node-tesseract-ocr-cve-2026-26832/
• 2. https://github.com/zebbernCVE/CVE-2026-26832
• 3. https://cvefeed.io/vuln/detail/CVE-2026-26832