CVE-2026-33929

EPSS 0.26%
Veröffentlicht 14.04.2026 08:09:39
Zuletzt bearbeitet 20.04.2026 16:58:21
Quelle security@apache.org
CVE-Watchlists
Login
Unerledigt
Login

Apache PDFBox Examples: Path Traversal in PDFBox ExtractEmbeddedFiles Example Code

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache PDFBox Examples.

This issue affects the 
ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.36, from 3.0.0 through 3.0.7.


Users are recommended to update to version 2.0.37 or 3.0.8 once 
available. Until then, they should apply the fix provided in GitHub PR 
427.

The ExtractEmbeddedFiles example contained a path traversal vulnerability (CWE-22) mentioned in CVE-2026-23907. However the change in the releases 2.0.36 and 3.0.7 is flawed because it doesn't consider the file path separator. Because of that, a user having writing rights on /home/ABC could be victim to a malicious PDF resulting in a write attempt to any path starting with /home/ABC, e.g. "/home/ABCDEF".

Users who have copied this example into their production code should apply the mentioned change. The example 
has been changed accordingly and is available in the project repository.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

NVD 2 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Pdfbox Version >= 2.0.24 < 2.0.37

Apache ≫ Pdfbox Version >= 3.0.0 < 3.0.8

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.26%	0.493

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

https://github.com/apache/pdfbox/pull/427/changes

Patch

https://lists.apache.org/thread/op3lyx1ngzy4qycn06l6hljyf28ff0zs

Mailing List

https://lists.apache.org/thread/j8l07tgzy9dm8d8n0f3c45h7zg7t3ld6

Vendor Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2026-33929

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-33929

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-33929

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-33929