CVE-2026-26830: pdf-image has an OS Command Injection Vulnerability through its pdfFilePath parameter

March 25, 2026 (updated March 27, 2026)

pdf-image (npm package) through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format() to interpolate user-controlled file paths into shell command strings that are executed via child_process.exec().

References

github.com/advisories/GHSA-q5mh-72xg-628w
github.com/mooz/node-pdf-image
github.com/zebbernCVE/CVE-2026-26830
nvd.nist.gov/vuln/detail/CVE-2026-26830

Code Behaviors & Features

Detect and mitigate CVE-2026-26830 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →