CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

3230 matches found

Packet Storm•added 2026/03/26 12:0 a.m.•171 views

📄 pdf-image 2.0.0 Command Injection

pdf-image through version 2.0.0 allows OS command injection via the pdfFilePath argument. The package builds shell command strings with util.format and executes them with childprocess.exec. If an application passes an attacker-controlled file path into PDFImage, shell metacharacters in that path...

9.8CVSS6AI score0.02493EPSS

Exploits4

Snyk•added 2026/03/25 6:45 p.m.•1 views

Command Injection

Overview textract is an Extracting text from files of various type including html, pdf, doc, docx, xls, xlsx, csv, pptx, png, jpg, gif, rtf, text/, and various open office. Affected versions of this package are vulnerable to Command Injection via the filePath parameter in multiple extractors. An...

9.8CVSS6.1AI score0.02421EPSS

Exploits4References2

Snyk•added 2026/03/25 6:45 p.m.•5 views

Command Injection

Overview node-tesseract-ocr is an A Node.js wrapper for the Tesseract OCR API Affected versions of this package are vulnerable to Command Injection via the recognize function. An attacker can execute arbitrary system commands by supplying crafted input to the file path parameter, which is...

9.8CVSS6.1AI score0.01706EPSS

Exploits3References2

EUVD•added 2026/03/25 6:31 p.m.•2 views

EUVD-2026-15459

textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to childprocess.exec in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequat...

5.8AI score0.02421EPSS

Exploits4References7

OSV•added 2026/03/25 6:31 p.m.•1 views

GHSA-9PCJ-M5RR-P28G textract is vulnerable to OS Command Injection

9.8CVSS5.9AI score0.02421EPSS

Exploits4References7

OSV•added 2026/03/25 6:31 p.m.•4 views

GHSA-8J44-735H-W4W2 node-tesseract-ocr is vulnerable to OS Command Injection through unsanitized recognize() function parameter

node-tesseract-ocr is an npm package that provides a Node.js wrapper for Tesseract OCR. In all versions through 2.2.1, the recognize function in src/index.js is vulnerable to OS Command Injection. The file path parameter is concatenated into a shell command string and passed to childprocess.exec...

9.8CVSS5.9AI score0.01706EPSS

Exploits3References4

Github Security Blog•added 2026/03/25 6:31 p.m.•4 views

textract is vulnerable to OS Command Injection

9.8CVSS5.9AI score0.02421EPSS

Exploits4References8Affected Software1

OSV•added 2026/03/25 5:47 p.m.•3 views

GHSA-5M4Q-5CVX-36MW AVideo Vulnerable to OS Command Injection via Unsanitized `users_id` and `liveTransmitionHistory_id` in Restreamer Log File Path

Summary The restreamer endpoint constructs a log file path by embedding user-controlled usersid and liveTransmitionHistoryid values from the JSON request body without any sanitization. This log file path is then concatenated directly into shell commands passed to exec, allowing an authenticated...

8.8CVSS6.4AI score0.00612EPSS

Exploits1References4

Github Security Blog•added 2026/03/25 5:47 p.m.•16 views

AVideo Vulnerable to OS Command Injection via Unsanitized `users_id` and `liveTransmitionHistory_id` in Restreamer Log File Path

8.8CVSS6.5AI score0.00612EPSS

Exploits1References4Affected Software1

OSV•added 2026/03/25 5:32 p.m.•3 views

GHSA-5J35-XR4G-VWF4 @grackle-ai/server has a Missing Secure Flag on Session Cookie

Impact The session cookie is set with HttpOnly; SameSite=Lax; Path=/ but does not include the Secure flag. This means the cookie will be sent over plain HTTP connections. Since the server binds to 127.0.0.1 by default and uses HTTP not HTTPS, this is acceptable for localhost use. However, when...

2.3CVSS5.8AI score

Exploits0References2

NVD•added 2026/03/25 4:16 p.m.•2 views

CVE-2026-26831

9.8CVSS0.02421EPSS

Exploits4References6

Github Security Blog•added 2026/03/25 3:31 p.m.•7 views

pdf-image has an OS Command Injection Vulnerability through its pdfFilePath parameter

pdf-image npm package through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format to interpolate user-controlled file paths into shell command strings that are executed via...

9.8CVSS5.9AI score0.02493EPSS

Exploits4References3Affected Software1

NVD•added 2026/03/25 3:16 p.m.•3 views

CVE-2026-26830

9.8CVSS0.02493EPSS

Exploits4References3

Cvelist•added 2026/03/25 12:0 a.m.•20 views

CVE-2026-26831

0.02421EPSS

Exploits4References6

Positive Technologies•added 2026/03/25 12:0 a.m.•8 views

PT-2026-27800

Name of the Vulnerable Software and Affected Versions textract versions through 2.5.0 Description The software is susceptible to an OS Command Injection issue through the file path parameter in multiple extractors. Processing files with malicious filenames allows the filePath to be directly passe...

9.8CVSS5.8AI score0.02421EPSS

Exploits4References9

CNNVD•added 2026/03/25 12:0 a.m.•4 views

pdf-image 安全漏洞

pdf-image is a Node.js tool developed by Masafumi Oyamada for converting PDFs to PNG images. Versions of pdf-image 2.0.0 and earlier contain security vulnerabilities. These vulnerabilities stem from the fact that the pdfFilePath parameter is not verified, which may lead to OS command injection...

9.8CVSS5.8AI score0.02493EPSS

Exploits4References3

Vulnrichment•added 2026/03/25 12:0 a.m.•1 views

CVE-2026-26831

5.9AI score0.02421EPSS

Exploits4References6

CVE•added 2026/03/25 12:0 a.m.•12 views

CVE-2026-26831

CVE-2026-26831 affects textract up to version 2.5.0, where filePath is passed directly to child_process.exec() in multiple extractors (lib/extractors/doc.js, lib/extractors/rtf.js, lib/extractors/dxf.js, lib/extractors/images.js, and lib/util.js) without sufficient sanitization, enabling OS comma...

9.8CVSS5.8AI score0.02421EPSS

Exploits4References6Affected Software1