Home / Vulnerability Intelligence / CVE-2026-26832

CVE-2026-26832 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: March 26, 2026

node-tesseract-ocr - Command Injection

Published: March 25, 2026Updated: March 26, 2026PoC AvailableRemote Exploitable

Overview

node-tesseract-ocr <= 2.2.1 contains a command injection caused by unsanitized file path parameter concatenated into shell command in recognize() function, letting attackers execute arbitrary OS commands remotely, exploit requires crafted input.

Severity & Score

Severity: Critical

CVSS Score: 9.8

EPSS Score: 19.3%(Probability of exploitation in next 30 days)

Impact

Attackers can execute arbitrary OS commands remotely, potentially leading to full system compromise.

Mitigation

Update to the latest version beyond 2.2.1.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 25, 2026

🔴 CVE-2026-26832 - Critical (9.8) node-tesseract-ocr is an npm package that provides a Node.js wrapper for Tesseract OCR. In all versions through 2.2.1, the recognize() function in src/index.js is vulnerable to OS Command Injection. The file path parameter is concatenated into a s... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-26832/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

GitHub Repositories(1 repo)

https://github.com/zebbernCVE/CVE-2026-26832

Related Resources

Details

CVE ID: CVE-2026-26832
Severity: Critical
CVSS Score: 9.8
Type: command_injection
Status: unconfirmed
EPSS: 19.3%
Social Posts: 1

CWE

CWE-78

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

19.3%Probability of exploitation in the next 30 days