CVE advisoryCRITICAL
CVE-2026-26832
node-tesseract-ocr Command Injection Vulnerability
Halo Surface Signal: 3 out of 5 — possibly public-facing.
The `node-tesseract-ocr` npm package has a critical OS Command Injection vulnerability in its `recognize()` function, where a file path parameter is unsafely concatenated into a shell command. This could allow an unauthenticated attacker to execute arbitrary commands on the server.