Vulnerability Details CVE-2026-26831
textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to child_process.exec() in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequate sanitization
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 36.5%
CVSS Severity
CVSS v3 Score 9.8
References
- https://github.com/dbashford/textract
- https://github.com/dbashford/textract/blob/master/lib/extractors/doc.js
- https://github.com/dbashford/textract/blob/master/lib/extractors/rtf.js
- https://github.com/dbashford/textract/blob/master/lib/util.js
- https://github.com/zebbernCVE/CVE-2026-26831
- https://www.npmjs.com/package/textract