CVE-2026-33929

Name of the Vulnerable Software and Affected Versions Apache PDFBox versions 2.0.24 through 2.0.36 Apache PDFBox versions 3.0.0 through 3.0.7

Description The ExtractEmbeddedFiles example contains a path traversal issue, which occurs when an application does not properly restrict the pathnames used to access files, potentially allowing access to directories outside the intended folder. A flaw in the path separator handling allows a malicious PDF to trigger write attempts to any path starting with the authorized directory prefix, such as writing to "/home/ABCDEF" when the user only has rights to "/home/ABC".

Recommendations Update versions 2.0.24 through 2.0.36 to version 2.0.37. Update versions 3.0.0 through 3.0.7 to version 3.0.8. Apply the fix provided in GitHub PR 427 for affected versions. Users who integrated the ExtractEmbeddedFiles example into production code should manually apply the updated changes from the project repository.