Overview

A critical OS Command Injection vulnerability has been identified in the pdf-image npm package, affecting all versions through 2.0.0. With a CVSS score of 9.8, this flaw allows an unauthenticated attacker to execute arbitrary operating system commands on the host system. The vulnerability was published on March 25, 2026.

Description

CVE-2026-26830 is a critical OS command injection vulnerability (CVSS score 9.8) in the pdf-image npm package affecting versions through 2.0.0. The vulnerability resides in the constructGetInfoCommand and constructConvertCommandForPage functions, which use Node.js's util.format() to interpolate user-controlled file paths (pdfFilePath) directly into shell command strings without adequate sanitization or escaping of special characters. The resulting unsanitized string is then passed to child_process.exec() for execution. An attacker can craft a malicious pdfFilePath containing shell metacharacters (such as semicolons, backticks, or dollar signs) to break out of the legitimate command context and execute arbitrary OS commands on the underlying system.

Impact

Successful exploitation of this vulnerability allows a remote unauthenticated attacker to execute arbitrary operating system commands on the host system running the affected Node.js application, potentially leading to full system compromise, data exfiltration, or deployment of malware.

Solution

No patch is available at time of writing. Users are advised to avoid using the pdf-image package with untrusted user input. Sanitize all user-supplied data before passing it to pdf-image functions, and consider migrating to an alternative, actively maintained package with proper input validation.

References

• 1. https://radar.offseq.com/threat/cve-2026-26830-na-8e48233f
• 2. https://www.thehackerwire.com/pdf-image-npm-package-os-command-injection-cve-2026-26830/