{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-26833", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-28T01:17:25.554Z", "dateReserved": "2026-02-16T00:00:00.000Z", "datePublished": "2026-03-25T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-25T15:48:33.523Z"}, "descriptions": [{"lang": "en", "value": "thumbler through 1.1.2 allows OS command injection via the input, output, time, or size parameter in the thumbnail() function because user input is concatenated into a shell command string passed to child_process.exec() without proper sanitization or escaping."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/mmahrous/thumbler"}, {"url": "https://www.npmjs.com/package/thumbler"}, {"url": "https://github.com/mmahrous/thumbler/blob/master/lib/thumbler.js"}, {"url": "https://github.com/zebbernCVE/CVE-2026-26833"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-28T01:15:11.452465Z", "id": "CVE-2026-26833", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-28T01:17:25.554Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-26833", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-28T01:15:11.452465Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-28T01:17:19.719Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/mmahrous/thumbler"}, {"url": "https://www.npmjs.com/package/thumbler"}, {"url": "https://github.com/mmahrous/thumbler/blob/master/lib/thumbler.js"}, {"url": "https://github.com/zebbernCVE/CVE-2026-26833"}], "descriptions": [{"lang": "en", "value": "thumbler through 1.1.2 allows OS command injection via the input, output, time, or size parameter in the thumbnail() function because user input is concatenated into a shell command string passed to child_process.exec() without proper sanitization or escaping."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-25T15:48:33.523Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26833", "state": "PUBLISHED", "dateUpdated": "2026-03-28T01:17:25.554Z", "dateReserved": "2026-02-16T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-25T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "thumbler through 1.1.2 allows OS command injection via the input, output, time, or size parameter in the thumbnail() function because user input is concatenated into a shell command string passed to child_process.exec() without proper sanitization or escaping."}, {"lang": "es", "value": "thumbler hasta la versi\u00f3n 1.1.2 permite la inyecci\u00f3n de comandos del sistema operativo a trav\u00e9s del par\u00e1metro input, output, time o size en la funci\u00f3n thumbnail() porque la entrada del usuario se concatena en una cadena de comando de shell pasada a child_process.exec() sin la sanitizaci\u00f3n o el escape adecuados."}], "id": "CVE-2026-26833", "lastModified": "2026-03-28T02:16:14.460", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T16:16:21.390", "references": [{"source": "[email protected]", "url": "https://github.com/mmahrous/thumbler"}, {"source": "[email protected]", "url": "https://github.com/mmahrous/thumbler/blob/master/lib/thumbler.js"}, {"source": "[email protected]", "url": "https://github.com/zebbernCVE/CVE-2026-26833"}, {"source": "[email protected]", "url": "https://www.npmjs.com/package/thumbler"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.1.2]"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "thumbler", "vendor": "mmahrous"}], "analysis": {"en": {"generated_at": "2026-03-27T10:52:12.559644+00:00", "value": {"mitigation_remediation": ["Upgrade thumbler to the latest released version that removes the unsafe shell construction.", "If an upgrade is not possible, enforce strict input validation: allow only numeric values for size and time, and restrict path characters for input and output to a safe whitelist.", "Replace child_process.exec usage with a safer image\u2011processing library that does not invoke the shell.", "If thumbnail generation is not required, remove the thumbler dependency entirely.", "Enable logging or monitoring of thumbnail() executions to detect abnormal activity."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution via OS Command Injection"}, "threat_synthesis": {"affected_systems": "Any Node.js application that imports the thumbler npm package at version\u202f1.1.2 or earlier is affected. The vulnerability resides solely in the library\u2019s thumbnail() function and does not arise from other dependencies. Projects exposing the thumbnail() API to external users\u2014such as web services that generate image thumbnails based on client input\u2014are at risk. No vendor or product names are identified beyond the npm package itself.", "description_and_impact": "thumbler up to version\u202f1.1.2 concatenates user\u2011controlled values for input, output, time, or size directly into a shell command string that is executed via child_process.exec. This allows an attacker to inject arbitrary operating\u2011system commands, leading to remote code execution. The weakness corresponds to CWE\u201178, improper neutralization of elements in an operating\u2011systems command.", "risk_and_exploitability": "The reported EPSS score is below 1\u202f% and the issue is not listed in the CISA KEV catalog, suggesting that exploitation is currently rare. Nevertheless, the impact is severe because successful exploitation grants arbitrary command execution on the host running the node.js process. The attack vector is inferred to be remote if the thumbnail() function is callable over a network or via user input. Exploitation requires the application to accept arbitrary values for the parameters and to execute the shell command without sanitization. Given the high severity but low known exploitation probability, the overall risk can be considered moderate, though any publicly exposed use warrants immediate attention."}}}}, "created": "2026-03-25T20:57:00.341652+00:00", "updated": "2026-03-27T15:48:08.703999+00:00", "vendors": ["mmahrous", "mmahrous$PRODUCT$thumbler"]}