Vulners
Lucene search
📄 textract 2.5.0 Command Injection
🗓️ 26 Mar 2026 00:00:00Reported by Zebbern Vulnerability ResearchType 
packetstorm🔗 packetstorm.news👁 118 Views
| Reporter | Title | Published | Views | Family All 15 |
|---|---|---|---|---|
 | Exploit for CVE-2026-26831 | 24 Mar 202616:15 | – | githubexploit |
 | textract 安全漏洞 | 25 Mar 202600:00 | – | cnnvd |
 | CVE-2026-26831 | 25 Mar 202600:00 | – | cve |
 | CVE-2026-26831 | 25 Mar 202600:00 | – | cvelist |
 | EUVD-2026-15459 | 25 Mar 202618:31 | – | euvd |
 | textract is vulnerable to OS Command Injection | 25 Mar 202618:31 | – | github |
 | CVE-2026-26831 | 25 Mar 202616:16 | – | nvd |
 | GHSA-9PCJ-M5RR-P28G textract is vulnerable to OS Command Injection | 25 Mar 202618:31 | – | osv |
| 📄 textract 2.5.0 Command Injection | 27 Apr 202600:00 | – | packetstorm |
 | PT-2026-27800 | 25 Mar 202600:00 | – | ptsecurity |
10
# CVE-2026-26831: OS command injection in textract
## Summary
`textract` through version `2.5.0` allows OS command injection through
the file path supplied to multiple extractors. Several code paths pass
that file path into `child_process.exec()` with inadequate sanitization.
An attacker who can influence the file name or path can break out of
the command line and run arbitrary commands on the host.
## Affected product
| Product | Affected versions | Fixed version |
| --- | --- | --- |
| textract | all versions through 2.5.0 | no fix available as of 2026-03-24 |
## Vulnerability details
- CVE ID: `CVE-2026-26831`
- CWE: `CWE-78` - OS Command Injection
- CVSS 3.1: `9.8` (`Critical`)
- Vector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
- Affected components:
- `lib/extractors/doc.js`
- `lib/extractors/rtf.js`
- `lib/extractors/dxf.js`
- `lib/extractors/images.js`
- `lib/util.js`
One example is the `doc.js` extractor:
```js
exec('antiword -m UTF-8.txt "' + filePath + '"', ...)
```
Another is the `rtf.js` path handling, which only escapes spaces
before executing the shell command. That does not stop metacharacters
such as `;`, backticks, or `$()`.
## Technical impact
Applications often use `textract` on user-uploaded documents. In that
setup, a malicious file name can trigger command execution during text
extraction.
## Proof of concept
An input file name such as:
```text
test";whoami;".doc
```
can break out of the quoted command string when the vulnerable
extractor runs.
## Mitigation
No fixed npm release is available at the time of writing.
If you still depend on this package:
1. Do not pass attacker-controlled file paths to `textract`.
2. Remove shell-string concatenation from extractor code.
3. Replace `exec()` with argument-safe process execution.
4. Move to a maintained text extraction pipeline.
## References
- https://www.npmjs.com/package/textract
- https://github.com/dbashford/textract
- https://github.com/dbashford/textract/blob/master/lib/extractors/doc.js
- https://github.com/dbashford/textract/blob/master/lib/extractors/rtf.js
- https://github.com/dbashford/textract/blob/master/lib/util.jsData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
26 Mar 2026 00:00Current
6Medium risk
Vulners AI Score6
CVSS 3.19.8
EPSS0.02421
SSVC