{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-26831", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-25T15:52:03.946Z", "dateReserved": "2026-02-16T00:00:00.000Z", "datePublished": "2026-03-25T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-25T15:52:03.946Z"}, "descriptions": [{"lang": "en", "value": "textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to child_process.exec() in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequate sanitization"}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://www.npmjs.com/package/textract"}, {"url": "https://github.com/dbashford/textract"}, {"url": "https://github.com/dbashford/textract/blob/master/lib/extractors/doc.js"}, {"url": "https://github.com/dbashford/textract/blob/master/lib/extractors/rtf.js"}, {"url": "https://github.com/dbashford/textract/blob/master/lib/util.js"}, {"url": "https://github.com/zebbernCVE/CVE-2026-26831"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to child_process.exec() in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequate sanitization"}], "id": "CVE-2026-26831", "lastModified": "2026-03-26T15:13:15.790", "metrics": {}, "published": "2026-03-25T16:16:21.123", "references": [{"source": "cve@mitre.org", "url": "https://github.com/dbashford/textract"}, {"source": "cve@mitre.org", "url": "https://github.com/dbashford/textract/blob/master/lib/extractors/doc.js"}, {"source": "cve@mitre.org", "url": "https://github.com/dbashford/textract/blob/master/lib/extractors/rtf.js"}, {"source": "cve@mitre.org", "url": "https://github.com/dbashford/textract/blob/master/lib/util.js"}, {"source": "cve@mitre.org", "url": "https://github.com/zebbernCVE/CVE-2026-26831"}, {"source": "cve@mitre.org", "url": "https://www.npmjs.com/package/textract"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.5.0]"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "textract", "vendor": "dbashford"}], "analysis": {"en": {"generated_at": "2026-03-26T02:53:01.080874+00:00", "value": {"mitigation_remediation": ["Upgrade textract to the latest stable version where the filePath sanitization is corrected; verify the commit that removes direct exec usage.", "If an upgrade is impractical, refactor the code to eliminate child_process.exec for file paths or replace it with child_process.spawn that receives a properly escaped argument list.", "Implement strict validation on the filePath parameter\u2014allow only a safe subset of characters, eliminate directory traversal, and reject paths containing shell metacharacters.", "Run the textract functionality under a low\u2011privilege user or container to limit the damage from potential command execution.", "Continuously monitor the textract repository and npm for security advisories and promptly apply subsequent patches."], "summary": {"action": "Patch Package", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All deployments that use the textract npm package at version 2.5.0 or earlier are vulnerable. The issue appears in the doc, rtf, dxf, images, and util extractor modules. Applications that accept user\u2011provided files with tamperable names\u2014such as document upload features, file conversion services, or image processing pipelines\u2014must be considered at risk.", "description_and_impact": "textract, a Node.js text extraction library used to read documents, RTF, DXF, images, and other file types, invokes the operating system\u2019s shell via child_process.exec in several of its extractor modules. In versions up to 2.5.0 the filePath argument supplied by the caller is passed straight into exec without any validation or escaping. This omission allows an attacker who supplies a crafted filename to inject arbitrary shell commands. The injected commands run with the privileges of the Node.js process, potentially granting full control over the system that hosts the application. The flaw is an example of input validation failure (CWE\u201120) that leads to OS command injection (CWE\u201178).", "risk_and_exploitability": "Because the vulnerability is triggered when a file with a malicious name is processed, an attacker needs to supply such a file. If the application accepts input from an untrusted source, the injection can be carried out remotely. The CVSS score and EPSS rating are not available, so the precise severity is uncertain, but the impact is high when the process runs with elevated privileges. The flaw is not listed in the CISA KEV catalog, and no public exploit has been reported yet; however, the source code is publicly available on GitHub, which lowers the barrier for attackers to craft an exploit. The risk is moderate to high for applications that expose textract to external file uploads or processing services."}}}}, "created": "2026-03-25T20:57:02.299016+00:00", "updated": "2026-03-26T12:18:40.766024+00:00", "vendors": ["dbashford", "dbashford$PRODUCT$textract"]}