CVE-2023-26155

CVSS 3.1 Score 9.8 of 10 (high)

Details

Published Oct 14, 2023

Updated: Nov 7, 2023

CWE ID 78

CWE ID 77

Summary

CVE-2023-26155 is a command injection vulnerability affecting all versions of the node-qpdf package. The encrypt() method in this package fails to sanitize user input when handling PDF file paths, allowing attackers to inject malicious commands. This issue can be exploited if an attacker supplies a specially crafted PDF file path, leading to sensitive command execution. Users are advised to upgrade to the latest version of node-qpdf to mitigate this risk.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

https://app.recordedfuture.com/live/sc/entity/tAKjLM
https://www.cve.org/CVERecord?id=CVE-2023-26155
https://nvd.nist.gov/vuln/detail/CVE-2023-26155

Back to Vulnerability Database

CVE-2023-26155

CVSS 3.1 Score 9.8 of 10 (high)

Details

Summary

Advisories, Assessments, and Mitigations