Critical severity9.8NVD Advisory· Published Mar 25, 2026· Updated Jun 5, 2026
CVE-2026-26832
CVE-2026-26832
Description
node-tesseract-ocr is an npm package that provides a Node.js wrapper for Tesseract OCR. In all versions through 2.2.1, the recognize() function in src/index.js is vulnerable to OS Command Injection. The file path parameter is concatenated into a shell command string and passed to child_process.exec() without proper sanitization
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
node-tesseract-ocrnpm | <= 2.2.1 | — |
Affected products
3Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-8j44-735h-w4w2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-26832ghsaADVISORY
- github.com/zapolnoch/node-tesseract-ocr/blob/master/src/index.jsnvdProductWEB
- www.npmjs.com/package/node-tesseract-ocrnvdProduct
News mentions
0No linked articles in our index yet.