CRITICALCVE-2026-26832Published 2026-03-25Modified 2026-03-25CNA mitre

CVE-2026-26832: node-tesseract-ocr is an npm package that provides a Node

node-tesseract-ocr is an npm package that provides a Node.js wrapper for Tesseract OCR. In all versions through 2.2.1, the recognize() function in src/index.js is vulnerable to OS Command Injection. The file path parameter is concatenated into a shell command string and passed to child_process.exec() without proper sanitization

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:N/S:U/UI:N

References

npmjs.com
github.com
github.com
github.com

Metrics