CVE-2026-26832: node-tesseract-ocr is vulnerable to OS Command Injection through unsanitized recognize() function parameter

March 25, 2026 (updated March 27, 2026)

node-tesseract-ocr is an npm package that provides a Node.js wrapper for Tesseract OCR. In all versions through 2.2.1, the recognize() function in src/index.js is vulnerable to OS Command Injection. The file path parameter is concatenated into a shell command string and passed to child_process.exec() without proper sanitization

References

github.com/advisories/GHSA-8j44-735h-w4w2
github.com/zapolnoch/node-tesseract-ocr
github.com/zapolnoch/node-tesseract-ocr/blob/master/src/index.js
github.com/zebbernCVE/CVE-2026-26832
nvd.nist.gov/vuln/detail/CVE-2026-26832

Code Behaviors & Features

Detect and mitigate CVE-2026-26832 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →