CVE-2026-26831

CriticalPublic PoC

Published: 25 March 2026

Published

25 March 2026

Modified

30 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0049 65.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to child_process.exec() in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequate sanitization

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation and sanitization of filePath inputs before passing to child_process.exec to block OS command injection from malicious filenames.

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, testing, and deployment of fixes for flaws like the unsanitized filePath handling in textract versions through 2.5.0.

RA-5 Vulnerability Monitoring and Scanning good match

prevent

Requires vulnerability scanning of third-party libraries like textract to detect and remediate known issues such as CVE-2026-26831 prior to exploitation.

Security SummaryAI

Textract, a Node.js library for extracting text from various document formats through version 2.5.0, contains an OS command injection vulnerability (CVE-2026-26831, CWE-78, CWE-94). The issue arises when processing files with malicious filenames, as the filePath parameter is passed directly to child_process.exec() without adequate sanitization in multiple extractor modules, including lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js. This flaw was published on 2026-03-25 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.

Remote attackers require no privileges or user interaction to exploit this vulnerability. By supplying a file with a specially crafted filename to an application using textract for document processing, an unauthenticated adversary can inject and execute arbitrary operating system commands on the host system. Successful exploitation grants high-impact control over confidentiality, integrity, and availability, potentially leading to full remote code execution.

References point to the textract GitHub repository and the specific vulnerable source files, along with a dedicated CVE details repository. Security practitioners should verify the latest textract release for remediation, as the vulnerability affects versions through 2.5.0, and update affected applications accordingly to mitigate risks.

Details

CWE(s): CWE-78 CWE-94

Affected Products

dbashford

textract

≤ 2.5.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

Why these techniques?

The vulnerability allows unauthenticated remote command injection via malicious filenames processed by the library, enabling exploitation of public-facing applications (T1190) for arbitrary OS command execution (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/dbashford/textract
Product · cve@mitre.org
https://github.com/dbashford/textract/blob/master/lib/extractors/doc.js
Product · cve@mitre.org
https://github.com/dbashford/textract/blob/master/lib/extractors/rtf.js
Product · cve@mitre.org
https://github.com/dbashford/textract/blob/master/lib/util.js
Product · cve@mitre.org
https://github.com/zebbernCVE/CVE-2026-26831
Exploit, Third Party Advisory · cve@mitre.org
https://www.npmjs.com/package/textract
Product · cve@mitre.org