pdf-image has an OS Command Injection Vulnerability through its pdfFilePath parameter

pdf-image npm package through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format to interpolate user-controlled file paths into shell command strings that are executed via...

SUSE CVE-2026-29042

Nuclio is a "Serverless" framework for Real-Time Events and Data Processing. Prior to version 1.15.20, the Nuclio Shell Runtime component contains a command injection vulnerability in how it processes user-supplied arguments. When a function is invoked via HTTP, the runtime reads the...

SUSE CVE-2026-30223

OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, when JWT authentication is configured using either "authJwtPubKeyPath" local RSA public key or "authJwtHmacSecret" HMAC secret, the configured audience value authJwtAud is not enforced during toke...

SUSE CVE-2026-30224

OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, OliveTin does not revoke server-side sessions when a user logs out. Although the browser cookie is cleared, the corresponding session remains valid in server storage until expiry default 1 year. A...

SUSE CVE-2026-30225

OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, an authentication context confusion vulnerability in RestartAction allows a low-privileged authenticated user to execute actions they are not permitted to run. RestartAction constructs a new...

SUSE CVE-2026-33310

Intake is a package for finding, investigating, loading and disseminating data. Prior to version 2.0.9, the shell syntax within parameter default values appears to be automatically expanded during the catalog parsing process. If a catalog contains a parameter default such as shell, the command ma...

CVE-2026-26830

pdf-image npm package through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format to interpolate user-controlled file paths into shell command strings that are executed via childprocess.e...

PT-2026-28181

Name of the Vulnerable Software and Affected Versions OpenHands versions prior to 1.5.0 Description OpenHands is software for AI-driven development. A Command Injection vulnerability exists in the get git diff method at openhands/runtime/utils/git handler.py:134. The path parameter from the...

PT-2026-27802

Name of the Vulnerable Software and Affected Versions thumbler versions prior to 1.1.3 Description The software contains a flaw that allows for the injection of operating system commands. This occurs through the input, output, time, or size parameters within the thumbnail function. The issue aris...

PT-2026-27783

Name of the Vulnerable Software and Affected Versions pdf-image versions through 2.0.0 Description The pdf-image npm package versions through 2.0.0 allows for OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions utilize...

CVE-2026-26830

pdf-image npm package through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format to interpolate user-controlled file paths into shell command strings that are executed via childprocess.e...

CVE-2026-26830

Summary of CVE-2026-26830 (pdf-image) : The npm package pdf-image (versions up to 2.0.0) is vulnerable to OS command injection through the pdfFilePath parameter. The functions constructGetInfoCommand and constructConvertCommandForPage interpolate user-controlled file paths into shell command stri...

CVE-2026-26833

CVE-2026-26833 affects the Node.js package thumbler up to version 1.1.2. The vulnerability is a OS command injection in the thumbnail() function: user-supplied values for input, output, time, or size are concatenated into a shell command string and executed via child_process.exec() without proper...

PT-2026-28038

Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow Photo Engine wplr-sync allows Upload a Web Shell to a Web Server.This issue affects Photo Engine: from n/a through = 6.4.9...

CVE-2026-26831

textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to childprocess.exec in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequat...

PT-2026-27998

Name of the Vulnerable Software and Affected Versions deothemes Ona versions prior to 1.24 Description The software contains a flaw related to unrestricted file upload with a dangerous file type. This allows for the upload of a web shell to a web server. Recommendations Update to a version newer...

n8n 安全漏洞

n8n is an open-source, scalable workflow automation tool developed by n8n. Versions of n8n prior to 2.5.0 contained security vulnerabilities. These vulnerabilities stemmed from the disabling of host key verification during SSH operations related to source control, which could lead to...

CVE-2026-26833

thumbler through 1.1.2 allows OS command injection via the input, output, time, or size parameter in the thumbnail function because user input is concatenated into a shell command string passed to childprocess.exec without proper sanitization or escaping...

Your AI Stack Just Handed Over Your Root Keys: Inside the litellm PyPI Breach

Litellm PyPI breach explained: malicious versions steal cloud credentials, SSH keys, and Kubernetes secrets. Learn impact and urgent mitigation steps...

WordPress plugin Ona 代码问题漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...