{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-26831", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-25T15:52:03.946Z", "dateReserved": "2026-02-16T00:00:00.000Z", "datePublished": "2026-03-25T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-25T15:52:03.946Z"}, "descriptions": [{"lang": "en", "value": "textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to child_process.exec() in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequate sanitization"}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://www.npmjs.com/package/textract"}, {"url": "https://github.com/dbashford/textract"}, {"url": "https://github.com/dbashford/textract/blob/master/lib/extractors/doc.js"}, {"url": "https://github.com/dbashford/textract/blob/master/lib/extractors/rtf.js"}, {"url": "https://github.com/dbashford/textract/blob/master/lib/util.js"}, {"url": "https://github.com/zebbernCVE/CVE-2026-26831"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to child_process.exec() in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequate sanitization"}], "id": "CVE-2026-26831", "lastModified": "2026-03-26T15:13:15.790", "metrics": {}, "published": "2026-03-25T16:16:21.123", "references": [{"source": "cve@mitre.org", "url": "https://github.com/dbashford/textract"}, {"source": "cve@mitre.org", "url": "https://github.com/dbashford/textract/blob/master/lib/extractors/doc.js"}, {"source": "cve@mitre.org", "url": "https://github.com/dbashford/textract/blob/master/lib/extractors/rtf.js"}, {"source": "cve@mitre.org", "url": "https://github.com/dbashford/textract/blob/master/lib/util.js"}, {"source": "cve@mitre.org", "url": "https://github.com/zebbernCVE/CVE-2026-26831"}, {"source": "cve@mitre.org", "url": "https://www.npmjs.com/package/textract"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.5.0]"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "textract", "vendor": "dbashford"}], "analysis": {"en": {"generated_at": "2026-03-26T14:57:17.763247+00:00", "value": {"mitigation_remediation": ["Upgrade textract to the latest released version to eliminate the vulnerable code paths.", "If an upgrade is not immediately feasible, modify the application to sanitize or reject any file names that contain shell metacharacters before passing them to exec, or replace exec with a safer alternative such as child_process.spawn using a whitelist of allowed commands.", "Run the application under the least\u2011privilege user account to limit the damage potential.", "Implement input validation on the filePath parameter to ensure only expected file names and extensions are accepted.", "Monitor application logs for unexpected execution of child_process routines and review audit trails for suspicious activity."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Any Node.js application that incorporates textract\u00a02.5.0 or older and processes files supplied by users. The issue is present in the doc, rtf, dxf, images and util extractors. Systems running the affected package version, regardless of platform, are vulnerable.", "description_and_impact": "The vulnerability resides in the textract library, a Node.js package used to extract text from various document formats. Prior to version\u00a02.5.0, the library accepts a file path parameter that is passed unfiltered to child_process.exec in several extractor modules. This lack of input sanitization allows an attacker to craft a malicious filename that will be executed as an operating\u2011system command, potentially leading to arbitrary code execution on the host system. The weakness corresponds to the OS Command Injection class of attacks (CWE-78).", "risk_and_exploitability": "EPSS below 1\u202f% indicates low current exploit probability, and the vulnerability has not been observed in the CISA KEV catalog. Nevertheless, the impact is severe because the flaw permits remote code execution if an attacker can supply a crafted filename. Exploitation requires the ability to influence the filePath argument. The attack vector is likely local or remote file uploads, especially in applications that automatically process user\u2011provided documents. Because the flaw uses child_process.exec, even a single privileged user could elevate privileges or compromise the host if executed."}}}}, "created": "2026-03-25T20:57:02.299016+00:00", "title": "OS Command Injection in textract via unsanitized file path", "updated": "2026-03-27T09:20:28.718803+00:00", "vendors": ["dbashford", "dbashford$PRODUCT$textract"], "weaknesses": ["CWE-78"]}