CVE-2026-26833

Published: Mar 25, 2026 Last Modified: Mar 25, 2026
ExploitDB:
Other exploit source:
Google Dorks:

Description

AI Translation Available

thumbler through 1.1.2 allows OS command injection via the input, output, time, or size parameter in the thumbnail() function because user input is concatenated into a shell command string passed to child_process.exec() without proper sanitization or escaping.

https://github.com/mmahrous/thumbler
https://github.com/mmahrous/thumbler
https://github.com/mmahrous/thumbler/blob/master/lib/thumbl…
https://github.com/mmahrous/thumbler/blob/master/lib/thumbler.js
https://github.com/zebbernCVE/CVE-2026-26833
https://github.com/zebbernCVE/CVE-2026-26833
https://www.npmjs.com/package/thumbler
https://www.npmjs.com/package/thumbler