https://feed.craftedsignal.io/tags/cve-2026-26830/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 25 Mar 2026 15:16:38 +0000https://feed.craftedsignal.io/briefs/2026-03-pdf-image-command-injection/Wed, 25 Mar 2026 15:16:38 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-pdf-image-command-injection/The pdf-image npm package through version 2.0.0 is vulnerable to OS command injection via the pdfFilePath parameter due to improper sanitization, potentially leading to arbitrary code execution.The pdf-image npm package, up to version 2.0.0, contains a critical vulnerability (CVE-2026-26830) that allows for OS command injection. This vulnerability stems from the way the package handles user-provided file paths when processing PDF files. Specifically, the constructGetInfoCommand and constructConvertCommandForPage functions utilize util.format() to incorporate the pdfFilePath parameter directly into shell command strings. These commands are then executed using…

]]>criticaladvisorycommand-injectionnpmCVE-2026-26830pdf