CVE-2026-26831: textract is vulnerable to OS Command Injection
(updated )
textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to child_process.exec() in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequate sanitization
References
- github.com/advisories/GHSA-9pcj-m5rr-p28g
- github.com/dbashford/textract
- github.com/dbashford/textract/blob/master/lib/extractors/doc.js
- github.com/dbashford/textract/blob/master/lib/extractors/rtf.js
- github.com/dbashford/textract/blob/master/lib/util.js
- github.com/zebbernCVE/CVE-2026-26831
- nvd.nist.gov/vuln/detail/CVE-2026-26831
- www.npmjs.com/package/textract
Code Behaviors & Features
Detect and mitigate CVE-2026-26831 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →