{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-26831", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-25T15:52:03.946Z", "dateReserved": "2026-02-16T00:00:00.000Z", "datePublished": "2026-03-25T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-25T15:52:03.946Z"}, "descriptions": [{"lang": "en", "value": "textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to child_process.exec() in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequate sanitization"}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://www.npmjs.com/package/textract"}, {"url": "https://github.com/dbashford/textract"}, {"url": "https://github.com/dbashford/textract/blob/master/lib/extractors/doc.js"}, {"url": "https://github.com/dbashford/textract/blob/master/lib/extractors/rtf.js"}, {"url": "https://github.com/dbashford/textract/blob/master/lib/util.js"}, {"url": "https://github.com/zebbernCVE/CVE-2026-26831"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to child_process.exec() in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequate sanitization"}], "id": "CVE-2026-26831", "lastModified": "2026-03-25T16:16:21.123", "metrics": {}, "published": "2026-03-25T16:16:21.123", "references": [{"source": "cve@mitre.org", "url": "https://github.com/dbashford/textract"}, {"source": "cve@mitre.org", "url": "https://github.com/dbashford/textract/blob/master/lib/extractors/doc.js"}, {"source": "cve@mitre.org", "url": "https://github.com/dbashford/textract/blob/master/lib/extractors/rtf.js"}, {"source": "cve@mitre.org", "url": "https://github.com/dbashford/textract/blob/master/lib/util.js"}, {"source": "cve@mitre.org", "url": "https://github.com/zebbernCVE/CVE-2026-26831"}, {"source": "cve@mitre.org", "url": "https://www.npmjs.com/package/textract"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received"}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T19:38:46.202346+00:00", "value": {"mitigation_remediation": ["Upgrade textract to a version newer than 2.5.0.", "If an upgrade is not possible, modify the extractor code to validate or sanitize the filePath before invoking child_process.exec.", "Avoid using child_process.exec; replace it with child_process.execFile or spawn with safe arguments.", "Restrict file uploads to trusted sources and validate filenames before processing.", "Monitor system logs for unexpected child_process exec usage."], "summary": {"action": "Patch Immediately", "impact": "OS Command Injection"}, "threat_synthesis": {"affected_systems": "Node.js applications that depend on the textract package with versions through 2.5.0 are affected. The vulnerability appears in the core extraction modules for doc, rtf, dxf, images, and the utility module that all file processors rely on. Any deployment of textract v2.5.0 or earlier that accepts external files is therefore vulnerable.", "description_and_impact": "The vulnerability in the textract library allows an attacker to inject arbitrary operating system commands by crafting a file name that is not properly sanitized before being passed to child_process.exec. The unsanitized filePath is used in multiple extractors, meaning that any file processed through textract could trigger the execution of attacker\u2013supplied commands. This can compromise confidentiality, integrity, and availability of the host system by allowing unrestricted code execution.", "risk_and_exploitability": "The exploit relies on local execution of the textract process; when a file with a malicious name is supplied, the application will run arbitrary shell commands. This is inferred as a local attack vector, but it could be triggered remotely if the application permits untrusted file uploads or processing. The CVSS score is not supplied, yet the potential for complete system compromise indicates a high severity level. With no EPSS data or KEV listing, the likelihood is undetermined, but the presence of unsanitized child_process.exec calls creates a significant risk."}}}}, "created": "2026-03-25T20:57:02.299016+00:00", "title": "OS Command Injection via Malicious File Paths in textract Package", "updated": "2026-03-25T20:57:02.299077+00:00", "vendors": [], "weaknesses": ["CWE-78", "CWE-20"]}