← back
CVE-2026-26831

CVE-2026-26831

CVSS 9.8 CRITICALEPSS 2.4%CWE-94
Vexday Risk Score
28Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 9.8EPSS 2.4%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
25 Mar 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to child_process.exec() in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequate sanitization
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/dbashford/textracthttps://github.com/dbashford/textract/blob/master/lib/extractors/doc.jshttps://github.com/dbashford/textract/blob/master/lib/extractors/rtf.jshttps://github.com/dbashford/textract/blob/master/lib/util.jshttps://github.com/zebbernCVE/CVE-2026-26831https://www.npmjs.com/package/textract