2 matches found
allbot (>=0.1.1 <=0.1.70), multi-rest (>=1.3.0-1 <=1.4.5) potentially affected by CVE-2026-26833 via thumbler (=1.1.2)
thumbler NPM version =1.1.2 is affected by a known vulnerability. The following packages have a transitive dependency on thumbler and may be impacted: - allbot =0.1.1, =1.3.0-1, =1.4.5 Source cves: CVE-2026-26833 Source advisory: OSV:GHSA-MVHF-547C-H55R...
CVE-2026-26833
thumbler through 1.1.2 allows OS command injection via the input, output, time, or size parameter in the thumbnail function because user input is concatenated into a shell command string passed to childprocess.exec without proper sanitization or escaping...