CVE-2026-26831
Published: 25 March 2026
Summary
CVE-2026-26831 is a critical-severity OS Command Injection (CWE-78) vulnerability in Dbashford Textract. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 17.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
Textract, a Node.js library for extracting text from various document formats through version 2.5.0, contains an OS command injection vulnerability (CVE-2026-26831, CWE-78, CWE-94). The issue arises when processing files with malicious filenames, as the filePath parameter is passed directly to child_process.exec() without adequate sanitization in multiple extractor modules, including lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js. This flaw was published on 2026-03-25 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.
Remote attackers require no privileges or user interaction to exploit this vulnerability. By supplying a file with a specially crafted filename to an application using textract for document processing, an unauthenticated adversary can inject and execute arbitrary operating system commands on the host system. Successful exploitation grants high-impact control over confidentiality, integrity, and availability, potentially leading to full remote code execution.
References point to the textract GitHub repository and the specific vulnerable source files, along with a dedicated CVE details repository. Security practitioners should verify the latest textract release for remediation, as the vulnerability affects versions through 2.5.0, and update affected applications accordingly to mitigate risks.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-15459
Vulnerability details
textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to child_process.exec() in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequate sanitization
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated remote command injection via malicious filenames processed by the library, enabling exploitation of public-facing applications (T1190) for arbitrary OS command execution (T1059).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of filePath inputs before passing to child_process.exec to block OS command injection from malicious filenames.
Mandates timely identification, testing, and deployment of fixes for flaws like the unsanitized filePath handling in textract versions through 2.5.0.
Requires vulnerability scanning of third-party libraries like textract to detect and remediate known issues such as CVE-2026-26831 prior to exploitation.