CVE-2026-26831

EUVD-2026-15459
textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to child_process.exec() in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequate sanitization
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
UNKNOWN
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
References
https://github.com/dbashford/textract
https://github.com/dbashford/textract/blob/master/lib/extractors/doc.js
https://github.com/dbashford/textract/blob/master/lib/extractors/rtf.js
https://github.com/dbashford/textract/blob/master/lib/util.js
https://github.com/zebbernCVE/CVE-2026-26831
https://www.npmjs.com/package/textract