CVE-2026-34586

Name of the Vulnerable Software and Affected Versions PdfDing versions prior to 1.7.1

Description PdfDing is a selfhosted PDF manager, viewer and editor. Prior to version 1.7.1, the check shared access allowed() function only validates session existence and does not check if a shared PDF is inactive (expired or has reached its maximum view count) or deleted. The Serve and Download API endpoints, ''/serve'' and ''/download'', rely on this function, allowing previously-authorized users to access shared PDF content after it has expired, reached its view limit, or been soft-deleted.

Recommendations Update to version 1.7.1 or later.