CVE-2026-26831
CVE-2026-26831
Vexday Risk Score
28Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 9.8EPSS 2.4%KEV nãoPoC —Nuclei —Metasploit —Patch —
Ciclo de vida
25 mar 2026Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to child_process.exec() in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequate sanitization
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Productos afectados
n/a · n/a¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →Referencias
https://github.com/dbashford/textracthttps://github.com/dbashford/textract/blob/master/lib/extractors/doc.jshttps://github.com/dbashford/textract/blob/master/lib/extractors/rtf.jshttps://github.com/dbashford/textract/blob/master/lib/util.jshttps://github.com/zebbernCVE/CVE-2026-26831https://www.npmjs.com/package/textract