PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-26832 Zapolnoch CVE debrief

node-tesseract-ocr is an npm package that provides a Node.js wrapper for Tesseract OCR. In all versions through 2.2.1, the recognize() function in src/index.js is vulnerable to OS Command Injection. The file path parameter is concatenated into a shell command string and passed to child_process.exec() without proper sanitization.

Vendor
Zapolnoch
Product
node-tesseract-ocr
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-25
Original CVE updated
2026-06-05
Advisory published
2026-03-25
Advisory updated
2026-06-05

Who should care

Developers and administrators using node-tesseract-ocr in their applications, especially those handling sensitive data or exposed to untrusted inputs.

Technical summary

The vulnerability exists in the recognize() function of the node-tesseract-ocr package. Specifically, the file path parameter is not properly sanitized before being concatenated into a shell command string and executed using child_process.exec(). This allows an attacker to inject arbitrary OS commands, potentially leading to system compromise.

Defensive priority

high

Recommended defensive actions

  • Upgrade to a version of node-tesseract-ocr that is not vulnerable (version greater than 2.2.1).
  • Use a secure alternative for OCR functionality if an upgrade is not feasible.
  • Implement additional security measures such as input validation and sanitization for file paths used in the recognize() function.

Evidence notes

The CVE-2026-26832 vulnerability has a CVSS score of 9.8, indicating critical severity. It was published on 2026-03-25T16:16:21.240Z and last modified on 2026-06-05T14:33:23.523Z.

Official resources

CVE-2026-26832 was published on 2026-03-25T16:16:21.240Z and last modified on 2026-06-05T14:33:23.523Z.