Critical severityNVD Advisory· Published Mar 25, 2026· Updated Mar 28, 2026
CVE-2026-26831
CVE-2026-26831
Description
textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to child_process.exec() in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequate sanitization
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
textractnpm | <= 2.5.0 | — |
Affected products
2- textract/textractdescription
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-9pcj-m5rr-p28gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-26831ghsaADVISORY
- github.com/dbashford/textract/blob/master/lib/extractors/doc.jsghsaWEB
- github.com/dbashford/textract/blob/master/lib/extractors/rtf.jsghsaWEB
- github.com/dbashford/textract/blob/master/lib/util.jsghsaWEB
- www.npmjs.com/package/textractghsaWEB
News mentions
0No linked articles in our index yet.