← Voltar para CVEs

CVE-2026-26831

CRITICAL

9.8

Descricao

textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to child_process.exec() in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequate sanitization

Detalhes CVE

Pontuacao CVSS v3.19.8

SeveridadeCRITICAL

Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vetor de ataqueNETWORK

ComplexidadeLOW

Privilegios necessariosNONE

Interacao do usuarioNONE

Publicado3/25/2026

Ultima modificacao3/30/2026

Fontenvd

Avistamentos honeypot0

Produtos afetados

dbashford:textract

Fraquezas (CWE)

CWE-78CWE-94

Referencias

https://github.com/dbashford/textract(cve@mitre.org)

https://github.com/dbashford/textract/blob/master/lib/extractors/doc.js(cve@mitre.org)

https://github.com/dbashford/textract/blob/master/lib/extractors/rtf.js(cve@mitre.org)

https://github.com/dbashford/textract/blob/master/lib/util.js(cve@mitre.org)

https://github.com/zebbernCVE/CVE-2026-26831(cve@mitre.org)

https://www.npmjs.com/package/textract(cve@mitre.org)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.