# CVE-2026-26831: OS command injection in textract ## Summary `textract` through version `2.5.0` allows OS command injection through the file path supplied to multiple extractors. Several code paths pass that file path into `child_process.exec()` with inadequate sanitization. An attacker who can influence the file name or path can break out of the command line and run arbitrary commands on the host. ## Affected product | Product | Affected versions | Fixed version | | --- | --- | --- | | textract | all versions through 2.5.0 | no fix available as of 2026-03-24 | ## Vulnerability details - CVE ID: `CVE-2026-26831` - CWE: `CWE-78` - OS Command Injection - CVSS 3.1: `9.8` (`Critical`) - Vector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` - Affected components: - `lib/extractors/doc.js` - `lib/extractors/rtf.js` - `lib/extractors/dxf.js` - `lib/extractors/images.js` - `lib/util.js` One example is the `doc.js` extractor: ```js exec('antiword -m UTF-8.txt "' + filePath + '"', ...) ``` Another is the `rtf.js` path handling, which only escapes spaces before executing the shell command. That does not stop metacharacters such as `;`, backticks, or `$()`. ## Technical impact Applications often use `textract` on user-uploaded documents. In that setup, a malicious file name can trigger command execution during text extraction. ## Proof of concept An input file name such as: ```text test";whoami;".doc ``` can break out of the quoted command string when the vulnerable extractor runs. ## Mitigation No fixed npm release is available at the time of writing. If you still depend on this package: 1. Do not pass attacker-controlled file paths to `textract`. 2. Remove shell-string concatenation from extractor code. 3. Replace `exec()` with argument-safe process execution. 4. Move to a maintained text extraction pipeline. ## References - https://www.npmjs.com/package/textract - https://github.com/dbashford/textract - https://github.com/dbashford/textract/blob/master/lib/extractors/doc.js - https://github.com/dbashford/textract/blob/master/lib/extractors/rtf.js - https://github.com/dbashford/textract/blob/master/lib/util.js