CVE-2026-26831
March 25, 2026
textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to child_process.exec() in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequate sanitization
Affected Packages
github.com/nats-io/nats-server/v2 (GO):
Affected version(s) >=v2.0.0-RC14.0.20190604014547-ed1901c79292 <v2.11.15Fix Suggestion:
Update to version v2.11.15github.com/nats-io/nats-server/v2 (GO):
Affected version(s) >=v2.0.0-RC14.0.20190604014547-ed1901c79292 <v2.11.15Fix Suggestion:
Update to version v2.11.15github.com/nats-io/nats-server/v2 (GO):
Affected version(s) >=v2.12.0 <v2.12.6Fix Suggestion:
Update to version v2.12.6github.com/nats-io/nats-server/v2 (GO):
Affected version(s) >=v2.0.0-RC14.0.20190604014547-ed1901c79292 <v2.11.15Fix Suggestion:
Update to version v2.11.15github.com/nats-io/nats-server/v2 (GO):
Affected version(s) >=v2.12.0 <v2.12.6Fix Suggestion:
Update to version v2.12.6github.com/nats-io/nats-server/v2 (GO):
Affected version(s) >=v2.12.0 <v2.12.6Fix Suggestion:
Update to version v2.12.6Related Resources (6)
Do you need more information?
Contact UsCVSS v3
Base Score:
6.1
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Improper Control of Generation of Code ('Code Injection')
EPSS
Base Score:
0.16
