Vulnerability Description
textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to child_process.exec() in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequate sanitization
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Dbashford | Textract | <= 2.5.0 |
Related Weaknesses (CWE)
References
- https://github.com/dbashford/textractProduct
- https://github.com/dbashford/textract/blob/master/lib/extractors/doc.jsProduct
- https://github.com/dbashford/textract/blob/master/lib/extractors/rtf.jsProduct
- https://github.com/dbashford/textract/blob/master/lib/util.jsProduct
- https://github.com/zebbernCVE/CVE-2026-26831ExploitThird Party Advisory
- https://www.npmjs.com/package/textractProduct
FAQ
What is CVE-2026-26831?
CVE-2026-26831 is a vulnerability with a CVSS score of 9.8 (CRITICAL). textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to chil...
How severe is CVE-2026-26831?
CVE-2026-26831 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-26831?
Check the references section above for vendor advisories and patch information. Affected products include: Dbashford Textract.