Alan951

**Name of the Vulnerable Software and Affected Versions** Stirling-PDF versions prior to 2.8.0 **Description** Stirling-PDF is a locally hosted web application designed for PDF file operations. The `/api/v1/convert/eml/pdf` API endpoint, when used with the `downloadHtml=true` parameter, returns unsanitized HTML from the email body if the content type is text/html. This allows an attacker to achieve JavaScript execution by sending a malicious email to a Stirling-PDF user and having them export the email using the "Download HTML intermediate file" feature. The `downloadHtml` parameter is the vulnerable component in this process. **Recommendations** Versions prior to 2.8.0 should be updated to version 2.8.0 or later.