CVE-2026-26831
Description
AI Translation Available
textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to child_process.exec() in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequate sanitization
https://github.com/dbashford/textract
https://github.com/dbashford/textract/blob/master/lib/extractors/doc.js
https://github.com/dbashford/textract/blob/master/lib/extractors/rtf.js
https://github.com/dbashford/textract/blob/master/lib/util.js
https://github.com/zebbernCVE/CVE-2026-26831
https://www.npmjs.com/package/textract