External risk intelligence

node-tesseract-ocr Command Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-26832

The `node-tesseract-ocr` npm package has a critical OS Command Injection vulnerability in its `recognize()` function, where a file path parameter is unsafely concatenated into a shell command. This could allow an unauthenticated attacker to execute arbitrary commands on the server.

3Halo Surface Signal

OS Command Injection

Zapolnoch Tesseract Ocr

2.2.1 and earlier

External exposure likelihood

Halo Surface Signal score for CVE-2026-26832

This is a library used by developers within Node.js applications to perform OCR. While the library itself is not a standalone internet-facing service, it is frequently integrated into web applications and APIs that process user-supplied files, making it plausibly reachable via the public internet depending on the implementation of the host application.

PCI scan relevance

PCI Relevance for CVE-2026-26832

Yes

CVE-2026-26832 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This OS Command Injection vulnerability in node-tesseract-ocr can lead to a PCI ASV scan failure because it allows for remote code execution without authentication.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical vulnerability in the `node-tesseract-ocr` npm package, which is used to integrate Optical Character Recognition (OCR) capabilities into Node.js applications. The flaw allows for command injection, meaning an attacker could potentially execute arbitrary commands on the server hosting the application. The main concern is to confirm if this package is in use and if so, to what extent it may be exposed.

Flaw lets attackers run commands on servers.
Critical vulnerability in popular OCR Node.js tool.
Confirm use and exposure of OCR package.

Attack Path

How an attacker could exploit the issue

Attackers can exploit this vulnerability by sending a specially crafted file path to a Node.js application that uses the `node-tesseract-ocr` package. When the application processes this path using the `recognize()` function, it can lead to the execution of arbitrary operating system commands. This could allow an attacker to take control of the server or access sensitive data.

Unauthenticated network access required.
Path parameter in `recognize()` function.
Arbitrary command execution and server compromise.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to execute arbitrary operating system commands when the `recognize()` function is used with a specially crafted file path. This could impact the confidentiality, integrity, and availability of the underlying system.

System commands could be executed.
Malicious commands via file path.
System compromise and data exfiltration.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability in `node-tesseract-ocr` impacts applications using the `tesseract_ocr` package. The most immediate step is to identify all instances of this package within your Node.js environment, confirm their exposure, and assign ownership for remediation. Prioritize systems that are externally reachable and critical to business operations.

Identify application owners and affected systems.
Verify external reachability and business criticality.
Plan remediation based on identified risk.

Frequently asked questions

What is node-tesseract-ocr and how is it used?

Node-tesseract-ocr is an npm package that acts as a bridge, allowing Node.js applications to use Tesseract OCR capabilities. Developers use it to add Optical Character Recognition functionality, enabling their applications to extract text from images.

What kind of weakness does CVE-2026-26832 describe?

CVE-2026-26832 describes an OS Command Injection vulnerability. This means an attacker can trick the software into running unintended commands on the server by manipulating input, specifically a file path.

How can an attacker exploit CVE-2026-26832?

An attacker can exploit this by sending a specially crafted file path to the `recognize()` function within the `node-tesseract-ocr` package. The software then incorrectly includes this path in a command executed on the server, leading to unintended command execution.

Who should be concerned about this vulnerability?

Organizations using Node.js applications that integrate `node-tesseract-ocr` should be concerned. Based on Halo Surface Signal analysis, this vulnerability is classified as external, meaning it's plausibly reachable from the public internet, especially if integrated into web applications or APIs.

What should I do if my systems use node-tesseract-ocr?

The first step is to identify all instances of the `node-tesseract-ocr` package across your Node.js environments. Determine which of these are exposed externally and assess their criticality to business operations to prioritize remediation efforts.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.