CVE-2026-23907

EPSS 0.05%
Veröffentlicht 10.03.2026 09:43:40
Zuletzt bearbeitet 13.03.2026 16:45:28
Quelle security@apache.org
CVE-Watchlists
Login
Unerledigt
Login

This issue affects the 
ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.35, from 3.0.0 through 3.0.6.


The ExtractEmbeddedFiles example contains a path traversal vulnerability (CWE-22) because 
the filename that is obtained from 
PDComplexFileSpecification.getFilename() is appended to the extraction path.

Users who have copied this example into their production code should 
review it to ensure that the extraction path is acceptable. The example 
has been changed accordingly, now the initial path and the extraction 
paths are converted into canonical paths and it is verified that 
extraction path contains the initial path. The documentation has also 
been adjusted.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Pdfbox Version >= 2.0.24 <= 2.0.35

Apache ≫ Pdfbox Version >= 3.0.0 <= 3.0.7

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.05%	0.162

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

https://github.com/JoakimBulow/

Not Applicable

https://lists.apache.org/thread/gyfq5tcrxfv7rx0z2yyx4hb3h53ndffw

Vendor Advisory

Mailing List

http://www.openwall.com/lists/oss-security/2026/03/10/1

Third Party Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2026-23907

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-23907

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-23907

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-23907