Share
## https://sploitus.com/exploit?id=PACKETSTORM:217866
# CVE-2026-26831: OS command injection in textract
    
    ## Summary
    
    `textract` through version `2.5.0` allows OS command injection through
    the file path supplied to multiple extractors. Several code paths pass
    that file path into `child_process.exec()` with inadequate sanitization.
    An attacker who can influence the file name or path can break out of
    the command line and run arbitrary commands on the host.
    
    ## Affected product
    
    | Product | Affected versions | Fixed version |
    | --- | --- | --- |
    | textract | all versions through 2.5.0 | no fix available as of 2026-03-24 |
    
    ## Vulnerability details
    
    - CVE ID: `CVE-2026-26831`
    - CWE: `CWE-78` - OS Command Injection
    - CVSS 3.1: `9.8` (`Critical`)
    - Vector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
    - Affected components:
      - `lib/extractors/doc.js`
      - `lib/extractors/rtf.js`
      - `lib/extractors/dxf.js`
      - `lib/extractors/images.js`
      - `lib/util.js`
    
    One example is the `doc.js` extractor:
    
    ```js
    exec('antiword -m UTF-8.txt "' + filePath + '"', ...)
    ```
    
    Another is the `rtf.js` path handling, which only escapes spaces
    before executing the shell command. That does not stop metacharacters
    such as `;`, backticks, or `$()`.
    
    ## Technical impact
    
    Applications often use `textract` on user-uploaded documents. In that
    setup, a malicious file name can trigger command execution during text
    extraction.
    
    ## Proof of concept
    
    An input file name such as:
    
    ```text
    test";whoami;".doc
    ```
    
    can break out of the quoted command string when the vulnerable
    extractor runs.
    
    ## Mitigation
    
    No fixed npm release is available at the time of writing.
    
    If you still depend on this package:
    
    1. Do not pass attacker-controlled file paths to `textract`.
    2. Remove shell-string concatenation from extractor code.
    3. Replace `exec()` with argument-safe process execution.
    4. Move to a maintained text extraction pipeline.
    
    ## References
    
    - https://www.npmjs.com/package/textract
    - https://github.com/dbashford/textract
    - https://github.com/dbashford/textract/blob/master/lib/extractors/doc.js
    - https://github.com/dbashford/textract/blob/master/lib/extractors/rtf.js
    - https://github.com/dbashford/textract/blob/master/lib/util.js