## https://sploitus.com/exploit?id=AB0F68C9-AF6B-54B6-B3BA-5BE016477D57
# CVE-2026-26831: OS command injection in textract
## Summary
`textract` through version `2.5.0` allows OS command injection through
the file path supplied to multiple extractors. Several code paths pass
that file path into `child_process.exec()` with inadequate sanitization.
An attacker who can influence the file name or path can break out of
the command line and run arbitrary commands on the host.
## Affected product
| Product | Affected versions | Fixed version |
| --- | --- | --- |
| textract | all versions through 2.5.0 | no fix available as of 2026-03-24 |
## Vulnerability details
- CVE ID: `CVE-2026-26831`
- CWE: `CWE-78` - OS Command Injection
- CVSS 3.1: `9.8` (`Critical`)
- Vector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
- Affected components:
- `lib/extractors/doc.js`
- `lib/extractors/rtf.js`
- `lib/extractors/dxf.js`
- `lib/extractors/images.js`
- `lib/util.js`
One example is the `doc.js` extractor:
```js
exec('antiword -m UTF-8.txt "' + filePath + '"', ...)
```
Another is the `rtf.js` path handling, which only escapes spaces
before executing the shell command. That does not stop metacharacters
such as `;`, backticks, or `$()`.
## Technical impact
Applications often use `textract` on user-uploaded documents. In that
setup, a malicious file name can trigger command execution during text
extraction.
## Proof of concept
An input file name such as:
```text
test";whoami;".doc
```
can break out of the quoted command string when the vulnerable
extractor runs.
## Mitigation
No fixed npm release is available at the time of writing.
If you still depend on this package:
1. Do not pass attacker-controlled file paths to `textract`.
2. Remove shell-string concatenation from extractor code.
3. Replace `exec()` with argument-safe process execution.
4. Move to a maintained text extraction pipeline.
## References
- https://www.npmjs.com/package/textract
- https://github.com/dbashford/textract
- https://github.com/dbashford/textract/blob/master/lib/extractors/doc.js
- https://github.com/dbashford/textract/blob/master/lib/extractors/rtf.js
- https://github.com/dbashford/textract/blob/master/lib/util.js