CVE-2026-26833
published 2026-03-25CVE-2026-26833: thumbler through 1.1.2 allows OS command injection via the input, output, time, or size parameter in the thumbnail() function because user input is…
PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.31%
81.2th percentile
thumbler through 1.1.2 allows OS command injection via the input, output, time, or size parameter in the thumbnail() function because user input is concatenated into a shell command string passed to child_process.exec() without proper sanitization or escaping.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mmahrous | thumbler | <= 1.1.2 | — |
| mmahrous | thumbler | 0 – 1.1.2 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
thumbler allows OS Command Injection
osv·2026-03-25
CVE-2026-26833 [CRITICAL] thumbler allows OS Command Injection
thumbler allows OS Command Injection
thumbler through 1.1.2 allows OS command injection via the input, output, time, or size parameter in the thumbnail() function because user input is concatenated into a shell command string passed to child_process.exec() without proper sanitization or escaping.
GHSA
thumbler allows OS Command Injection
ghsa·2026-03-25
CVE-2026-26833 [CRITICAL] CWE-78 thumbler allows OS Command Injection
thumbler allows OS Command Injection
thumbler through 1.1.2 allows OS command injection via the input, output, time, or size parameter in the thumbnail() function because user input is concatenated into a shell command string passed to child_process.exec() without proper sanitization or escaping.
No detection rules found.
No public exploits indexed.
2026-03-25
Published