CVE-2026-27625

Name of the Vulnerable Software and Affected Versions Stirling-PDF versions prior to 2.5.2

Description Stirling-PDF is a locally hosted web application used for PDF file operations. Versions prior to 2.5.2 have an issue where the /api/v1/convert/markdown/pdf endpoint does not properly validate paths when extracting entries from user-supplied ZIP files. This allows an authenticated user to write files outside the intended temporary directory, resulting in arbitrary file write with the privileges of the stirlingpdfuser process. This can lead to overwriting writable files and compromising data integrity. The vulnerable parameter is the ZIP file provided to the /api/v1/convert/markdown/pdf endpoint.

Recommendations Update Stirling-PDF to version 2.5.2 or later.