CVE-2026-26831

CRITICAL

textract through 2.5.0 - Command Injection

Title source: llm

Description

textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to child_process.exec() in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequate sanitization

References (6)

https://www.npmjs.com/package/textract

https://github.com/dbashford/textract

View Writeup ZIP pw:eip

https://github.com/dbashford/textract/blob/master/lib/extractors/doc.js

https://github.com/dbashford/textract/blob/master/lib/extractors/rtf.js

https://github.com/dbashford/textract/blob/master/lib/util.js

https://github.com/zebbernCVE/CVE-2026-26831

View Exploit ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.0043

EPSS Percentile 62.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-78 CWE-94

Status published

Products (2)

dbashford/textract < 2.5.0

npm/textract 0npm

Published Mar 25, 2026

Tracked Since Mar 25, 2026