dbashford/textract

Releases36

Frequency2 months 2 days

Last Release about 7 years ago

Stars1.7K

node.js module for extracting text from html, pdf, doc, docx, xls, xlsx, csv, pptx, png, jpg, gif, rtf and more!

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2026-26831 ↗	Mar 25, 2026Wednesday, 25 March 2026, 16:16	9.8 CRITICAL	—
textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to child_process.exec() in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequate sanitization