CVE-2026-26831

CRITICAL

textract through 2.5.0 - Command Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-26831. PoCs published by zebbernCVE.

AI-analyzed exploit summary The repository provides a detailed technical analysis of CVE-2026-26831, an OS command injection vulnerability in the `textract` npm package. It includes affected components, code snippets, and a proof-of-concept example demonstrating how malicious file names can exploit inadequate sanitization in `child_process.exec()` calls.

Description

textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to child_process.exec() in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequate sanitization

Exploits (1)

nomisec WRITEUP
by zebbernCVE · poc
https://github.com/zebbernCVE/CVE-2026-26831

The repository provides a detailed technical analysis of CVE-2026-26831, an OS command injection vulnerability in the `textract` npm package. It includes affected components, code snippets, and a proof-of-concept example demonstrating how malicious file names can exploit inadequate sanitization in `child_process.exec()` calls.

Classification
Writeup 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: textract npm package (versions through 2.5.0)
No auth needed
Prerequisites: attacker-controlled file path
devstral-2 · analyzed May 03, 2026 Full analysis →

References (6)

Core 6

Scores

CVSS v3 9.8
EPSS 0.0051
EPSS Percentile 67.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-78 CWE-94
Status published
Products (2)
dbashford/textract < 2.5.0
npm/textract 0npm
Published Mar 25, 2026
Tracked Since Mar 25, 2026