{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-26831", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-28T01:12:59.787Z", "dateReserved": "2026-02-16T00:00:00.000Z", "datePublished": "2026-03-25T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-25T15:52:03.946Z"}, "descriptions": [{"lang": "en", "value": "textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to child_process.exec() in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequate sanitization"}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://www.npmjs.com/package/textract"}, {"url": "https://github.com/dbashford/textract"}, {"url": "https://github.com/dbashford/textract/blob/master/lib/extractors/doc.js"}, {"url": "https://github.com/dbashford/textract/blob/master/lib/extractors/rtf.js"}, {"url": "https://github.com/dbashford/textract/blob/master/lib/util.js"}, {"url": "https://github.com/zebbernCVE/CVE-2026-26831"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-28T01:11:51.578510Z", "id": "CVE-2026-26831", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-28T01:12:59.787Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-26831", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-28T01:11:51.578510Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-28T01:12:42.439Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://www.npmjs.com/package/textract"}, {"url": "https://github.com/dbashford/textract"}, {"url": "https://github.com/dbashford/textract/blob/master/lib/extractors/doc.js"}, {"url": "https://github.com/dbashford/textract/blob/master/lib/extractors/rtf.js"}, {"url": "https://github.com/dbashford/textract/blob/master/lib/util.js"}, {"url": "https://github.com/zebbernCVE/CVE-2026-26831"}], "descriptions": [{"lang": "en", "value": "textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to child_process.exec() in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequate sanitization"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-25T15:52:03.946Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26831", "state": "PUBLISHED", "dateUpdated": "2026-03-28T01:12:59.787Z", "dateReserved": "2026-02-16T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-25T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dbashford:textract:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "9DD5E682-185B-4FC0-AA02-650FC0C89BA1", "versionEndIncluding": "2.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to child_process.exec() in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequate sanitization"}, {"lang": "es", "value": "textract hasta la versi\u00f3n 2.5.0 es vulnerable a la Inyecci\u00f3n de Comandos del Sistema Operativo a trav\u00e9s del par\u00e1metro de ruta de archivo en m\u00faltiples extractores. Al procesar archivos con nombres de archivo maliciosos, la ruta de archivo (filePath) se pasa directamente a child_process.exec() en lib/extractors/doc.js, rtf.js, dxf.js, images.js y lib/util.js con una sanitizaci\u00f3n inadecuada."}], "id": "CVE-2026-26831", "lastModified": "2026-03-30T13:33:41.273", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T16:16:21.123", "references": [{"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/dbashford/textract"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/dbashford/textract/blob/master/lib/extractors/doc.js"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/dbashford/textract/blob/master/lib/extractors/rtf.js"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/dbashford/textract/blob/master/lib/util.js"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/zebbernCVE/CVE-2026-26831"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://www.npmjs.com/package/textract"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-94"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.5.0]"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "textract", "vendor": "dbashford"}], "analysis": {"en": {"generated_at": "2026-03-30T14:36:35.024331+00:00", "value": {"mitigation_remediation": ["Apply the latest textract release (v2.5.1 or newer) which removes unsanitized filePath usage.", "If upgrading is not immediately possible, ensure that any file paths passed to textract are strictly validated to contain only safe characters and that no user\u2011supplied file names reach the exec call.", "Consider switching to safer extraction mechanisms or replacing textract with a library that does not use child_process.exec for handling file paths.", "Monitor the project repository for further updates or security advisories."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the open\u2011source npm package textract, versions up to and including 2.5.0. Applications built with Node.js that depend on this package are at risk. No other vendors or products are listed. The supporting CPE indicates a Node.js environment. Any project using textract < 2.5.0 for document, RTF, DXF, or image extraction is impacted.", "description_and_impact": "The vulnerability occurs in the textract library version 2.5.0 and earlier because the filePath parameter supplied to various extractors is passed directly to child_process.exec without sanitization. This allows an attacker to inject arbitrary operating system commands, potentially leading to remote code execution. The weakness maps to CWE-78: OS Command Injection and CWE-94: Improper Syntax Handling. The attacker could take control of the system running the library if a malicious filename is processed.", "risk_and_exploitability": "The CVSS score of 9.8 indicates critical severity. The EPSS score is below 1%, suggesting that exploitation is currently uncommon. The issue is not present in CISA\u2019s Known Exploited Vulnerabilities catalog. Because the attacker must supply a crafted file name that reaches the child_process.exec call, the attack vector is execution of arbitrary commands on the host where the application runs. If an application exposes textract to untrusted input, an attacker could trigger compromised system behavior."}}}}, "created": "2026-03-25T20:57:02.299016+00:00", "updated": "2026-03-30T20:58:03.364646+00:00", "vendors": ["dbashford", "dbashford$PRODUCT$textract"]}