Proposal: Command Injection Case Study for CVE-2026-26830 (pdf-image npm package)

[thiley]

We are proposing to write a case study on the command injection vulnerability in the pdf-image npm package (CVE-2026-26830).

Description: If an attacker inputs their own file path into PDFImage and the input contains a command, the command will execute on the host system’s shell. This vulnerability stems from the constructGetInfoCommand() and constructConvertCommandForPage() functions calling child_process.exec() using the attacker-controlled input.

Proposed vulnerability: CVE-2026-26830
Software: pdf-image npm package
Primary weakness: CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
CVSS: 9.8 (Critical)

Group (24) Members:

1. Thi Ley
2. Cassandra Nguyen
3. Loc Nguyen

References:

• https://nvd.nist.gov/vuln/detail/CVE-2026-26830
• https://github.com/zebbernCVE/CVE-2026-26830
• https://www.npmjs.com/package/pdf-image

[abuttner]

Sounds good. Make sure you focus on the coding mistake made by the developer and walk the reader through the issue line by line. Then show how it could be exploited and how the developer fixed the issue.