Cyber Resilience

CVE-2026-26831

CriticalPublic PoCRCE

Published: 25 March 2026

Published
25 March 2026
Modified
30 March 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0242 82.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-26831 is a critical-severity OS Command Injection (CWE-78) vulnerability in Dbashford Textract. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 17.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

Textract, a Node.js library for extracting text from various document formats through version 2.5.0, contains an OS command injection vulnerability (CVE-2026-26831, CWE-78, CWE-94). The issue arises when processing files with malicious filenames, as the filePath parameter is passed directly to child_process.exec() without adequate sanitization in multiple extractor modules, including lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js. This flaw was published on 2026-03-25 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.

Remote attackers require no privileges or user interaction to exploit this vulnerability. By supplying a file with a specially crafted filename to an application using textract for document processing, an unauthenticated adversary can inject and execute arbitrary operating system commands on the host system. Successful exploitation grants high-impact control over confidentiality, integrity, and availability, potentially leading to full remote code execution.

References point to the textract GitHub repository and the specific vulnerable source files, along with a dedicated CVE details repository. Security practitioners should verify the latest textract release for remediation, as the vulnerability affects versions through 2.5.0, and update affected applications accordingly to mitigate risks.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to child_process.exec() in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequate sanitization

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

The vulnerability allows unauthenticated remote command injection via malicious filenames processed by the library, enabling exploitation of public-facing applications (T1190) for arbitrary OS command execution (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-11600Shared CWE-94
CVE-2025-24971Shared CWE-78
CVE-2026-1345Shared CWE-78
CVE-2025-6000Shared CWE-94
CVE-2020-37027Shared CWE-78
CVE-2025-41684Shared CWE-78
CVE-2025-64126Shared CWE-78
CVE-2026-20910Shared CWE-78
CVE-2026-38992Shared CWE-94
CVE-2025-50193Shared CWE-78

Affected Assets

dbashford
textract
≤ 2.5.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of filePath inputs before passing to child_process.exec to block OS command injection from malicious filenames.

prevent

Mandates timely identification, testing, and deployment of fixes for flaws like the unsanitized filePath handling in textract versions through 2.5.0.

prevent

Requires vulnerability scanning of third-party libraries like textract to detect and remediate known issues such as CVE-2026-26831 prior to exploitation.

References