CVE-2026-26831 - Vulnerability Analysis
N/aLast Updated: March 25, 2026
textract - Command Injection
Published: March 25, 2026Updated: March 25, 2026PoC Available
Overview
textract <= 2.5.0 contains a command injection caused by inadequate sanitization of the file path parameter in multiple extractors, letting attackers execute arbitrary OS commands via malicious filenames, exploit requires crafted file input.
Severity & Score
Severity: N/a
Impact
Attackers can execute arbitrary OS commands, potentially leading to full system compromise.
Mitigation
Update to the latest version of textract.
References
- https://github.com/dbashford/textract/blob/master/lib/extractors/rtf.js
- https://github.com/dbashford/textract/blob/master/lib/util.js
- https://github.com/zebbernCVE/CVE-2026-26831
- https://www.npmjs.com/package/textract
- https://github.com/dbashford/textract
- https://github.com/dbashford/textract/blob/master/lib/extractors/doc.js
Related Resources
Details
- CVE ID
- CVE-2026-26831
- Severity
- N/a
- Type
- command_injection
- Status
- new
CVSS Metrics
N/A