Skip to main content

CVE-2026-26831

| EUVDEUVD-2026-15459 CRITICAL
Code Injection (CWE-94)
2026-03-25 mitre GHSA-9pcj-m5rr-p28g
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 25, 2026 - 16:16 euvd
EUVD-2026-15459
Analysis Generated
Mar 25, 2026 - 16:16 vuln.today
CVE Published
Mar 25, 2026 - 00:00 nvd
CRITICAL 9.8

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 70 npm packages depend on textract (54 direct, 17 indirect)

Ecosystem-wide dependent count for version 2.5.0.

DescriptionCVE.org

textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to child_process.exec() in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequate sanitization

AnalysisAI

The textract library through version 2.5.0 contains an OS command injection vulnerability in its file extraction modules that allows attackers to execute arbitrary operating system commands by crafting malicious filenames. The vulnerability affects multiple extractors (doc.js, rtf.js, dxf.js, images.js, and util.js) where user-supplied file paths are passed directly to child_process.exec() without adequate sanitization. An attacker can exploit this by uploading or referencing files with specially crafted names containing shell metacharacters, leading to complete system compromise with the privileges of the process running textract.

Technical ContextAI

The textract library is a Node.js package (available on npm) designed to extract text from various document formats including DOC, RTF, DXF, and image files. The vulnerability stems from unsafe usage of child_process.exec() in multiple extractor modules, which spawns a shell to execute system commands. Rather than using safer alternatives like child_process.execFile() with parameterized arguments, the code concatenates user-controlled file paths directly into shell command strings. This is a classic OS command injection vulnerability (CWE-78) where shell metacharacters in filenames (such as semicolons, pipes, or backticks) are interpreted by the shell rather than treated as literal filename characters. The affected modules include lib/extractors/doc.js, lib/extractors/rtf.js, lib/extractors/dxf.js, lib/extractors/images.js, and lib/util.js, indicating a systemic sanitization issue across the codebase.

RemediationAI

Immediately upgrade the textract library to a version newer than 2.5.0 if available, or discontinue use of the library until a patched version is released by the maintainers. Check the official GitHub repository (https://github.com/dbashford/textract) for security updates and patch releases. In the interim, implement compensating controls by sanitizing all filenames before passing them to textract by removing or escaping shell metacharacters (semicolons, pipes, backticks, dollar signs, ampersands, parentheses, and quotes), implementing strict input validation using allowlists of safe characters, running the textract process in a restricted container or sandbox with minimal filesystem and network access, and applying principle of least privilege so the Node.js process runs with the minimum necessary permissions. Consider using alternative text extraction libraries that handle shell command construction more safely, or submit a pull request to the textract repository with fixes that replace child_process.exec() calls with child_process.execFile() and proper argument parameterization.

Share

CVE-2026-26831 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy