CVE-2026-34071

Name of the Vulnerable Software and Affected Versions Stirling-PDF versions prior to 2.8.0

Description Stirling-PDF is a locally hosted web application designed for PDF file operations. The /api/v1/convert/eml/pdf API endpoint, when used with the downloadHtml=true parameter, returns unsanitized HTML from the email body if the content type is text/html. This allows an attacker to achieve JavaScript execution by sending a malicious email to a Stirling-PDF user and having them export the email using the "Download HTML intermediate file" feature. The downloadHtml parameter is the vulnerable component in this process.

Recommendations Versions prior to 2.8.0 should be updated to version 2.8.0 or later.