ГлавнаяУязвимости → CVE-2026-26831
9.8критическая

CVE-2026-26831

Описание

textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to child_process.exec() in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequate sanitization

Затрагиваемое ПО
Dbashford Textract
CVSS
Балл9.8 — критическая
ВекторCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Источники
https://github.com/dbashford/textracthttps://github.com/dbashford/textract/blob/master/lib/extractors/doc.jshttps://github.com/dbashford/textract/blob/master/lib/extractors/rtf.jshttps://github.com/dbashford/textract/blob/master/lib/util.jshttps://github.com/zebbernCVE/CVE-2026-26831https://www.npmjs.com/package/textract