CVE-2026-26831

Published
View on NVD ↗
CVSS v3
9.8
CRITICAL
CVSS v2
N/A
Affected
3
PROJECTS

Description

textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to child_process.exec() in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequate sanitization

dbashford/textract
dbashford/textract
node.js module for extracting text from html, pdf, doc, docx, xls, xlsx, csv, pptx, png, jpg, gif, rtf and more!
GitHubGitHub
1.7K
zebbernCVE/CVE-2026-26831
zebbernCVE/CVE-2026-26831
Advisory for textract ⌯⌲ 15 000 weekly downloads
GitHubGitHub
textract
textract
Extracting text from files of various type including html, pdf, doc, docx, xls, xlsx, csv, pptx, png, jpg, gif, rtf, text/*, and various open office.
NPMNPM