CVE-2026-26831
published 2026-03-25CVE-2026-26831: textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious…
PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.42%
82.1th percentile
textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to child_process.exec() in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequate sanitization
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dbashford | textract | <= 2.5.0 | — |
| textract_project | textract | 0 – 2.5.0 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
textract is vulnerable to OS Command Injection
ghsa·2026-03-25
CVE-2026-26831 [CRITICAL] CWE-78 textract is vulnerable to OS Command Injection
textract is vulnerable to OS Command Injection
textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to child_process.exec() in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequate sanitization
OSV
textract is vulnerable to OS Command Injection
osv·2026-03-25
CVE-2026-26831 [CRITICAL] textract is vulnerable to OS Command Injection
textract is vulnerable to OS Command Injection
textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to child_process.exec() in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequate sanitization
No detection rules found.
No public exploits indexed.
https://github.com/dbashford/textracthttps://github.com/dbashford/textract/blob/master/lib/extractors/doc.jshttps://github.com/dbashford/textract/blob/master/lib/extractors/rtf.jshttps://github.com/dbashford/textract/blob/master/lib/util.jshttps://github.com/zebbernCVE/CVE-2026-26831https://www.npmjs.com/package/textract
2026-03-25
Published