What is CVE-2026-26833?

CVE-2026-26833 is a vulnerability in N/a. Published 2026-03-25.

Is CVE-2026-26833 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in N/a

CVE-2026-26833

thumbler through 1.1.2 allows OS command injection via the input, output, time, or size parameter in the thumbnail() function because user input is concatenated into a shell command string passed to child_process.exec() without proper sani…

EPSS: 0.005 (66.1th percentile) — read the EPSS interpretation.

Affected products

N/a — versions n/a

Public proof-of-concept exploits

zebbernCVE/CVE-2026-26833

References

github.com/mmahrous/thumbler
www.npmjs.com/package/thumbler
github.com/mmahrous/thumbler/blob/master/lib/thumbler.js
github.com/zebbernCVE/CVE-2026-26833

Frequently asked questions

What is CVE-2026-26833?: CVE-2026-26833 is a vulnerability in N/a. Published 2026-03-25.
Is CVE-2026-26833 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.