npm package
pdf-image
pkg:npm/pdf-image
Vulnerabilities (3)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-26830 | Cri | 9.8 | <= 2.0.0 | — | Mar 25, 2026 | pdf-image (npm package) through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format() to interpolate user-controlled file paths into shell command strings that are execut | |
| CVE-2020-8132 | — | <= 2.0.0 | — | Feb 28, 2020 | Lack of input validation in pdf-image npm package version <= 2.0.0 may allow an attacker to run arbitrary code if PDF file path is constructed based on untrusted user input. | ||
| CVE-2018-3757 | — | < 2.0.0 | 2.0.0 | Jun 1, 2018 | Command injection exists in pdf-image v2.0.0 due to an unescaped string parameter. |
- affected <= 2.0.0
pdf-image (npm package) through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format() to interpolate user-controlled file paths into shell command strings that are execut
- CVE-2020-8132Feb 28, 2020affected <= 2.0.0
Lack of input validation in pdf-image npm package version <= 2.0.0 may allow an attacker to run arbitrary code if PDF file path is constructed based on untrusted user input.
- CVE-2018-3757Jun 1, 2018affected < 2.0.0fixed 2.0.0
Command injection exists in pdf-image v2.0.0 due to an unescaped string parameter.