CVE-2026-26831

Sažetak

textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to child_process.exec() in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequate sanitization

Reference

https://github.com/dbashford/textract
https://github.com/dbashford/textract/blob/master/lib/extractors/doc.js
https://github.com/dbashford/textract/blob/master/lib/extractors/rtf.js
https://github.com/dbashford/textract/blob/master/lib/util.js
https://github.com/zebbernCVE/CVE-2026-26831
https://www.npmjs.com/package/textract

CVSS

Base:	9.8
Impact:	5.9
Exploitability:	3.9

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
HIGH	HIGH	HIGH

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Zadnje važnije ažuriranje

28-03-2026 - 02:16

Objavljeno

25-03-2026 - 16:16