{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-26832/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["command-injection","nodejs","tesseract-ocr","cve-2026-26832"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe node-tesseract-ocr npm package, a Node.js wrapper for Tesseract OCR, is vulnerable to OS command injection (CVE-2026-26832) in versions 2.2.1 and earlier. The vulnerability exists within the \u003ccode\u003erecognize()\u003c/code\u003e function located in \u003ccode\u003esrc/index.js\u003c/code\u003e. The \u003ccode\u003efile path\u003c/code\u003e parameter, used to specify the image for OCR processing, is directly concatenated into a shell command string without proper sanitization. This unsanitized string is then passed to \u003ccode\u003echild_process.exec()\u003c/code\u003e, enabling attackers to inject arbitrary commands that are executed by the system. Exploitation can lead to complete system compromise, data exfiltration, or denial of service.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious file path containing OS commands.\u003c/li\u003e\n\u003cli\u003eThe attacker passes the malicious file path to the \u003ccode\u003erecognize()\u003c/code\u003e function within the \u003ccode\u003enode-tesseract-ocr\u003c/code\u003e package.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003erecognize()\u003c/code\u003e function concatenates the attacker-controlled file path into a command string.\u003c/li\u003e\n\u003cli\u003eThe command string, now containing injected OS commands, is passed to \u003ccode\u003echild_process.exec()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003echild_process.exec()\u003c/code\u003e executes the command string.\u003c/li\u003e\n\u003cli\u003eThe injected OS commands are executed by the system with the privileges of the Node.js process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform actions such as installing malware, creating new user accounts, or exfiltrating sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the server hosting the Node.js application. This can lead to complete system compromise, potentially impacting all data and services hosted on the compromised server. The severity is heightened because the vulnerability is remotely exploitable and requires no user interaction. Systems using affected versions of \u003ccode\u003enode-tesseract-ocr\u003c/code\u003e are at high risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003enode-tesseract-ocr\u003c/code\u003e package to a patched version that addresses CVE-2026-26832 if available.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization for the file path parameter passed to the \u003ccode\u003erecognize()\u003c/code\u003e function, mitigating command injection attempts.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for unusual processes spawned by Node.js (\u003ccode\u003enode.exe\u003c/code\u003e or \u003ccode\u003enode\u003c/code\u003e) to detect potential exploitation using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eReview and audit all uses of \u003ccode\u003echild_process.exec()\u003c/code\u003e within Node.js applications to identify and remediate other potential command injection vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-26T12:00:00Z","date_published":"2026-03-26T12:00:00Z","id":"/briefs/2026-03-node-tesseract-ocr-command-injection/","summary":"The node-tesseract-ocr npm package through version 2.2.1 is vulnerable to OS command injection due to improper sanitization of the file path parameter in the recognize() function, potentially allowing for arbitrary command execution.","title":"node-tesseract-ocr OS Command Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-node-tesseract-ocr-command-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-26832","version":"https://jsonfeed.org/version/1.1"}