CVE-2026-26833

Vulnerability

Description

thumbler, a Node.js package for extracting video thumbnails, contains an OS command injection vulnerability in its thumbnail() function. The root cause is that the input, output, time, and size parameters are concatenated directly into an ffmpeg command string that is executed via child_process.exec(). No sanitization or escaping is applied, allowing an attacker who controls any of these parameters to inject arbitrary shell commands [1][2].

Exploitation and

Attack Vector

An attacker can exploit this vulnerability by providing specially crafted values for the parameters. For example, passing a string like 'test.mp4"; id > /tmp/pwned; echo "' as the input parameter will cause the shell to execute the injected command id > /tmp/pwned before the intended ffmpeg command [2]. The attack requires no authentication and can be triggered over the network if the vulnerable function is called with user-supplied data. The CVSS 3.1 base score is 9.8 (Critical), reflecting the ease and impact of exploitation [2].

Impact

Successful exploitation allows an attacker to execute arbitrary operating system commands with the privileges of the application. This can lead to full compromise of the host system, including data theft, installation of malware, or lateral movement within the network. Any service that uses thumbler to generate thumbnails from user-provided media is at risk [2].

Mitigation and

Status

As of the publication date (2026-03-25), no fixed version of thumbler has been released. The official GitHub repository has not responded with a patch. Users are advised to avoid passing untrusted data to the thumbnail() function, replace shell-string concatenation with argument-safe process execution (e.g., using child_process.spawn with an array of arguments), or migrate to a maintained alternative library [2].