← volver
CVE-2026-26831

CVE-2026-26831

CVSS 9.8 CRITICALEPSS 2.4%CWE-94
textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to child_process.exec() in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequate sanitization
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Productos afectados
n/a · n/a

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://github.com/dbashford/textracthttps://github.com/dbashford/textract/blob/master/lib/extractors/doc.jshttps://github.com/dbashford/textract/blob/master/lib/extractors/rtf.jshttps://github.com/dbashford/textract/blob/master/lib/util.jshttps://github.com/zebbernCVE/CVE-2026-26831https://www.npmjs.com/package/textract