Aggregates CVE and security vulnerability intelligence across all pdf-image_project-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Common weakness patterns include vendor risk input validation and vendor risk command injection, with potential vendor impact unexpected behavior across vendor surface production workloads use cases.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-26830 | pdf-image (npm package) through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format() to interpolate user-controlled file paths into shell command strings that are executed via child_process.exec() | [email protected] | 9.8 | 0.28% | 2026-03-25 | 2026-04-02 |
| CVE-2020-8132 | Lack of input validation in pdf-image npm package version <= 2.0.0 may allow an attacker to run arbitrary code if PDF file path is constructed based on untrusted user input. | [email protected] | 9.8 | 0.46% | 2020-02-28 | 2024-11-21 |
| CVE-2018-3757 | Command injection exists in pdf-image v2.0.0 due to an unescaped string parameter. | [email protected] | 9.8 | 7.96% | 2018-06-01 | 2024-11-21 |