12 matches found
📄 thumbler 1.1.2 Command Injection
The thumbler package through version 1.1.2 contains a critical command injection vulnerability in the thumbnail function. User-supplied input parameters input, output, time, size are concatenated into a single ffmpeg command string and executed via childprocess.exec without proper sanitization. A...
CVE-2026-26833
thumbler through 1.1.2 allows OS command injection via the input, output, time, or size parameter in the thumbnail function because user input is concatenated into a shell command string passed to childprocess.exec without proper sanitization or escaping...
📄 thumbler 1.1.2 Command Injection
thumbler through version 1.1.2 allows OS command injection in thumbnail in lib/thumbler.js. The package concatenates the input, output, time, and size values into a single ffmpeg command string and executes that string with childprocess.exec. An attacker who controls one of those values can injec...
allbot (>=0.1.1 <=0.1.70), multi-rest (>=1.3.0-1 <=1.4.5) potentially affected by CVE-2026-26833 via thumbler (=1.1.2)
thumbler NPM version =1.1.2 is affected by a known vulnerability. The following packages have a transitive dependency on thumbler and may be impacted: - allbot =0.1.1, =1.3.0-1, =1.4.5 Source cves: CVE-2026-26833 Source advisory: OSV:GHSA-MVHF-547C-H55R...
GHSA-MVHF-547C-H55R thumbler allows OS Command Injection
thumbler through 1.1.2 allows OS command injection via the input, output, time, or size parameter in the thumbnail function because user input is concatenated into a shell command string passed to childprocess.exec without proper sanitization or escaping...
thumbler allows OS Command Injection
thumbler through 1.1.2 allows OS command injection via the input, output, time, or size parameter in the thumbnail function because user input is concatenated into a shell command string passed to childprocess.exec without proper sanitization or escaping...
CVE-2026-26833
thumbler through 1.1.2 allows OS command injection via the input, output, time, or size parameter in the thumbnail function because user input is concatenated into a shell command string passed to childprocess.exec without proper sanitization or escaping...
CVE-2026-26833
CVE-2026-26833 affects the Node.js package thumbler up to version 1.1.2. The vulnerability is a OS command injection in the thumbnail() function: user-supplied values for input, output, time, or size are concatenated into a shell command string and executed via child_process.exec() without proper...
CVE-2026-26833
thumbler through 1.1.2 allows OS command injection via the input, output, time, or size parameter in the thumbnail function because user input is concatenated into a shell command string passed to childprocess.exec without proper sanitization or escaping...
Thumbler 安全漏洞
Thumbler is a video and image thumbnail extraction tool developed by Mohamed Mahrous Sayed. Versions of Thumbler 1.1.2 and earlier contain security vulnerabilities. These vulnerabilities stem from unvalidated input, output, time, or size parameters in the thumbnail generation function, which may...
CVE-2026-26833
thumbler through 1.1.2 allows OS command injection via the input, output, time, or size parameter in the thumbnail function because user input is concatenated into a shell command string passed to childprocess.exec without proper sanitization or escaping...
Exploit for CVE-2026-26833
CVE-2026-26833: OS command injection in thumbler Summary...