What is CVE-2026-26831?

CVE-2026-26831 is a vulnerability in N/a. Published 2026-03-25.

Is CVE-2026-26831 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in N/a

CVE-2026-26831

textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to child_process.exec() in lib/extractors/doc…

EPSS: 0.005 (66.8th percentile) — read the EPSS interpretation.

Affected products

N/a — versions n/a

Public proof-of-concept exploits

zebbernCVE/CVE-2026-26831

References

www.npmjs.com/package/textract
github.com/dbashford/textract
github.com/dbashford/textract/blob/master/lib/extractors/doc.js
github.com/dbashford/textract/blob/master/lib/extractors/rtf.js
github.com/dbashford/textract/blob/master/lib/util.js
github.com/zebbernCVE/CVE-2026-26831

Frequently asked questions

What is CVE-2026-26831?: CVE-2026-26831 is a vulnerability in N/a. Published 2026-03-25.
Is CVE-2026-26831 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.