VYPR

npm package

textract

pkg:npm/textract

Vulnerabilities (1)

  • CVE-2026-26831Mar 25, 2026
    affected <= 2.5.0

    textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to child_process.exec() in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/ut