PT-2026-24199 · Apache · Apache Pdfbox
Joakim Bülow
·
Published
2026-03-10
·
Updated
2026-04-14
·
CVE-2026-23907
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Apache PDFBox versions 2.0.24 through 2.0.36
Apache PDFBox versions 3.0.0 through 3.0.7
Description
The ExtractEmbeddedFiles example within Apache PDFBox contains a path traversal issue. The filename obtained from
PDComplexFileSpecification.getFilename() is appended to the extraction path, potentially allowing unauthorized access or modification of files.Recommendations
For Apache PDFBox versions 2.0.24 through 2.0.36, review any production code that utilizes the ExtractEmbeddedFiles example to ensure the extraction path is acceptable.
For Apache PDFBox versions 3.0.0 through 3.0.7, review any production code that utilizes the ExtractEmbeddedFiles example to ensure the extraction path is acceptable.
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Pdfbox