CVE-2026-26831

critical

Description

textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to child_process.exec() in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequate sanitization

References

https://www.npmjs.com/package/textract

https://github.com/zebbernCVE/CVE-2026-26831

https://github.com/dbashford/textract/blob/master/lib/util.js

https://github.com/dbashford/textract/blob/master/lib/extractors/rtf.js

https://github.com/dbashford/textract/blob/master/lib/extractors/doc.js

https://github.com/dbashford/textract

Details

Source: Mitre, NVD

Published: 2026-03-25

Updated: 2026-03-28

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 9.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.00088