{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-26831", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-28T01:12:59.787Z", "dateReserved": "2026-02-16T00:00:00.000Z", "datePublished": "2026-03-25T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-25T15:52:03.946Z"}, "descriptions": [{"lang": "en", "value": "textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to child_process.exec() in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequate sanitization"}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://www.npmjs.com/package/textract"}, {"url": "https://github.com/dbashford/textract"}, {"url": "https://github.com/dbashford/textract/blob/master/lib/extractors/doc.js"}, {"url": "https://github.com/dbashford/textract/blob/master/lib/extractors/rtf.js"}, {"url": "https://github.com/dbashford/textract/blob/master/lib/util.js"}, {"url": "https://github.com/zebbernCVE/CVE-2026-26831"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-28T01:11:51.578510Z", "id": "CVE-2026-26831", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-28T01:12:59.787Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-26831", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-28T01:11:51.578510Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-28T01:12:42.439Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://www.npmjs.com/package/textract"}, {"url": "https://github.com/dbashford/textract"}, {"url": "https://github.com/dbashford/textract/blob/master/lib/extractors/doc.js"}, {"url": "https://github.com/dbashford/textract/blob/master/lib/extractors/rtf.js"}, {"url": "https://github.com/dbashford/textract/blob/master/lib/util.js"}, {"url": "https://github.com/zebbernCVE/CVE-2026-26831"}], "descriptions": [{"lang": "en", "value": "textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to child_process.exec() in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequate sanitization"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-25T15:52:03.946Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26831", "state": "PUBLISHED", "dateUpdated": "2026-03-28T01:12:59.787Z", "dateReserved": "2026-02-16T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-25T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to child_process.exec() in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequate sanitization"}, {"lang": "es", "value": "textract hasta la versi\u00f3n 2.5.0 es vulnerable a la Inyecci\u00f3n de Comandos del Sistema Operativo a trav\u00e9s del par\u00e1metro de ruta de archivo en m\u00faltiples extractores. Al procesar archivos con nombres de archivo maliciosos, la ruta de archivo (filePath) se pasa directamente a child_process.exec() en lib/extractors/doc.js, rtf.js, dxf.js, images.js y lib/util.js con una sanitizaci\u00f3n inadecuada."}], "id": "CVE-2026-26831", "lastModified": "2026-03-28T02:16:14.133", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T16:16:21.123", "references": [{"source": "[email protected]", "url": "https://github.com/dbashford/textract"}, {"source": "[email protected]", "url": "https://github.com/dbashford/textract/blob/master/lib/extractors/doc.js"}, {"source": "[email protected]", "url": "https://github.com/dbashford/textract/blob/master/lib/extractors/rtf.js"}, {"source": "[email protected]", "url": "https://github.com/dbashford/textract/blob/master/lib/util.js"}, {"source": "[email protected]", "url": "https://github.com/zebbernCVE/CVE-2026-26831"}, {"source": "[email protected]", "url": "https://www.npmjs.com/package/textract"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.5.0]"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "textract", "vendor": "dbashford"}], "analysis": {"en": {"generated_at": "2026-03-27T10:30:35.773810+00:00", "value": {"mitigation_remediation": ["Upgrade textract to a version that sanitizes the file path, such as 2.6.0 or later.", "If an upgrade is not immediately possible, modify the extraction logic to escape or validate the file path before calling child_process.exec.", "Avoid processing untrusted files with textract; use file validation or a sandboxed extraction service.", "Monitor npm advisories for future patches."], "summary": {"action": "Apply patch", "impact": "OS Command Injection"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Node.js package textract, versions 2.5.0 and earlier. It is triggered in the extractor modules for doc, rtf, dxf, images and the common util helper. Projects that import textract to parse user supplied documents are at risk. No vendor name is listed; the package is distributed through npm.", "description_and_impact": "OS Command Injection occurs when textract, versions up to 2.5.0, accepts a file path argument that is not sanitized before being supplied to child_process.exec in its document extractors. An attacker can craft a file name that includes shell metacharacters, causing the application to execute arbitrary commands on the host. This weakness enables full code execution, a severe compromise of confidentiality, integrity, and availability. It is categorized as CWE\u201178.", "risk_and_exploitability": "The EPSS score is below 1\u202f%, indicating a low probability of exploitation today, but the CVSS implicit severity is high because the flaw allows arbitrary command execution. The vulnerability is not included in the CISA KEV catalog. Exploitation requires the victim application to process a maliciously named file, which means the attacker needs to supply or trick the target system into loading such a file. If a system routinely consumes untrusted documents, the risk remains significant."}}}}, "created": "2026-03-25T20:57:02.299016+00:00", "updated": "2026-03-27T15:48:09.633079+00:00", "vendors": ["dbashford", "dbashford$PRODUCT$textract"]}