Affected Products
Vendor / product matrix with CVE counts sourced from the CPE catalog.
Products
1 vendor| Vendor | Products | CVEs | KEV | Avg EPSS | Worst Severity |
|---|---|---|---|---|---|
| 1 | 1 | 0 | 82.1% | CRITICAL |
Related CVEs
1| CVE ID | Description | Severity | CVSS | KEV | EPSS | Published | |
|---|---|---|---|---|---|---|---|
| CVE-2026-26831 | textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to child_process.exec() in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequate sanitization | CRITICAL | 9.8 | — | 82.1% | Mar 25, 2026 |