📄 thumbler 1.1.2 Command Injection

The thumbler package through version 1.1.2 contains a critical command injection vulnerability in the thumbnail function. User-supplied input parameters input, output, time, size are concatenated into a single ffmpeg command string and executed via childprocess.exec without proper sanitization. A...

📄 thumbler 1.1.2 Command Injection

thumbler through version 1.1.2 allows OS command injection in thumbnail in lib/thumbler.js. The package concatenates the input, output, time, and size values into a single ffmpeg command string and executes that string with childprocess.exec. An attacker who controls one of those values can injec...

GHSA-MVHF-547C-H55R thumbler allows OS Command Injection

thumbler through 1.1.2 allows OS command injection via the input, output, time, or size parameter in the thumbnail function because user input is concatenated into a shell command string passed to childprocess.exec without proper sanitization or escaping...

thumbler allows OS Command Injection

thumbler through 1.1.2 allows OS command injection via the input, output, time, or size parameter in the thumbnail function because user input is concatenated into a shell command string passed to childprocess.exec without proper sanitization or escaping...

EUVD-2026-15463

thumbler through 1.1.2 allows OS command injection via the input, output, time, or size parameter in the thumbnail function because user input is concatenated into a shell command string passed to childprocess.exec without proper sanitization or escaping...

CVE-2026-26833

CVE-2026-26833 affects the Node.js package thumbler up to version 1.1.2. The vulnerability is a OS command injection in the thumbnail() function: user-supplied values for input, output, time, or size are concatenated into a shell command string and executed via child_process.exec() without proper...

CVE-2026-26833

thumbler through 1.1.2 allows OS command injection via the input, output, time, or size parameter in the thumbnail function because user input is concatenated into a shell command string passed to childprocess.exec without proper sanitization or escaping...

Exploit for CVE-2026-26833

CVE-2026-26833: OS command injection in thumbler Summary...

CVE-2025-67079

CVE-2025-67079 describes a file upload vulnerability in Omnispace Agora Project prior to 25.10. The issue allows code execution via the MSL engine of the Imagick library when a crafted PDF is uploaded through the file upload and thumbnail functions. The underlying cause is misuse in handling craf...

SUSE CVE-2007-6352

Integer overflow in libexif 0.6.16 and earlier allows context-dependent attackers to execute arbitrary code via an image with crafted EXIF tags, possibly involving the exifdataloaddatathumbnail function in exif-data.c...

MGASA-2014-0430 Updated php packages fix security vulnerabilities

An integer overflow flaw in PHP's unserialize function was reported. If unserialize were used on untrusted data, this issue could lead to a crash or potentially information disclosure CVE-2014-3669. A heap corruption issue was reported in PHP's exifthumbnail function. A specially-crafted JPEG ima...