{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/pdf/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["command-injection","npm","CVE-2026-26830","pdf"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe pdf-image npm package, up to version 2.0.0, contains a critical vulnerability (CVE-2026-26830) that allows for OS command injection. This vulnerability stems from the way the package handles user-provided file paths when processing PDF files. Specifically, the \u003ccode\u003econstructGetInfoCommand\u003c/code\u003e and \u003ccode\u003econstructConvertCommandForPage\u003c/code\u003e functions utilize \u003ccode\u003eutil.format()\u003c/code\u003e to incorporate the \u003ccode\u003epdfFilePath\u003c/code\u003e parameter directly into shell command strings. These commands are then executed using…\u003c/p\u003e\n","date_modified":"2026-03-25T15:16:38Z","date_published":"2026-03-25T15:16:38Z","id":"/briefs/2026-03-pdf-image-command-injection/","summary":"The pdf-image npm package through version 2.0.0 is vulnerable to OS command injection via the pdfFilePath parameter due to improper sanitization, potentially leading to arbitrary code execution.","title":"pdf-image npm Package Command Injection Vulnerability (CVE-2026-26830)","url":"https://feed.craftedsignal.io/briefs/2026-03-pdf-image-command-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Pdf","version":"https://jsonfeed.org/version/1.1"}