Share
## https://sploitus.com/exploit?id=AB0F68C9-AF6B-54B6-B3BA-5BE016477D57
# CVE-2026-26831: OS command injection in textract

## Summary

`textract` through version `2.5.0` allows OS command injection through
the file path supplied to multiple extractors. Several code paths pass
that file path into `child_process.exec()` with inadequate sanitization.
An attacker who can influence the file name or path can break out of
the command line and run arbitrary commands on the host.

## Affected product

| Product | Affected versions | Fixed version |
| --- | --- | --- |
| textract | all versions through 2.5.0 | no fix available as of 2026-03-24 |

## Vulnerability details

- CVE ID: `CVE-2026-26831`
- CWE: `CWE-78` - OS Command Injection
- CVSS 3.1: `9.8` (`Critical`)
- Vector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
- Affected components:
  - `lib/extractors/doc.js`
  - `lib/extractors/rtf.js`
  - `lib/extractors/dxf.js`
  - `lib/extractors/images.js`
  - `lib/util.js`

One example is the `doc.js` extractor:

```js
exec('antiword -m UTF-8.txt "' + filePath + '"', ...)
```

Another is the `rtf.js` path handling, which only escapes spaces
before executing the shell command. That does not stop metacharacters
such as `;`, backticks, or `$()`.

## Technical impact

Applications often use `textract` on user-uploaded documents. In that
setup, a malicious file name can trigger command execution during text
extraction.

## Proof of concept

An input file name such as:

```text
test";whoami;".doc
```

can break out of the quoted command string when the vulnerable
extractor runs.

## Mitigation

No fixed npm release is available at the time of writing.

If you still depend on this package:

1. Do not pass attacker-controlled file paths to `textract`.
2. Remove shell-string concatenation from extractor code.
3. Replace `exec()` with argument-safe process execution.
4. Move to a maintained text extraction pipeline.

## References

- https://www.npmjs.com/package/textract
- https://github.com/dbashford/textract
- https://github.com/dbashford/textract/blob/master/lib/extractors/doc.js
- https://github.com/dbashford/textract/blob/master/lib/extractors/rtf.js
- https://github.com/dbashford/textract/blob/master/lib/util.js