CVE-2026-26832 in node-tesseract-ocrinfo

Summary

node-tesseract-ocr is an npm package that provides a Node.js wrapper for Tesseract OCR. In all versions through 2.2.1, the recognize() function in src/index.js is vulnerable to OS Command Injection. The file path parameter is concatenated into a shell command string and passed to child_process.exec() without proper sanitization

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Responsible

MITRE

Reservation

02/16/2026

Disclosure

03/25/2026

Status

Confirmed

Entries

VulDB provides additional information and datapoints for this CVE:

ID	Vulnerability	CWE	Exp	Cou	CVE
353189	node-tesseract-ocr index.js recognize os command injection	78	Not defined	Not defined	CVE-2026-26832

Description

CPE

CWE

CVSS

Exploits

History

Diff

Relate

Threat Intelligence

API JSON

API XML

API CSV

Sources

MITRE
NVD
CVE Details

◂ PreviousOverviewNext ▸

Interested in the pricing of exploits?

See the underground prices here!