CVE-2026-26833: thumbler allows OS Command Injection

March 25, 2026 (updated March 31, 2026)

thumbler through 1.1.2 allows OS command injection via the input, output, time, or size parameter in the thumbnail() function because user input is concatenated into a shell command string passed to child_process.exec() without proper sanitization or escaping.

References

github.com/advisories/GHSA-mvhf-547c-h55r
github.com/mmahrous/thumbler
github.com/mmahrous/thumbler/blob/master/lib/thumbler.js
github.com/zebbernCVE/CVE-2026-26833
nvd.nist.gov/vuln/detail/CVE-2026-26833
www.npmjs.com/package/thumbler

Code Behaviors & Features

Detect and mitigate CVE-2026-26833 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →