Command injection exists in pdf-image v2.0.0 due to an unescaped string parameter.
pdf-image project pdf-image 2.0.0