CVE-2026-33436

Name of the Vulnerable Software and Affected Versions Stirling-PDF versions prior to 2.0.0

Description File upload endpoints render user-supplied filenames directly into HTML using unsafe methods such as innerHTML without sanitization. This allows an attacker to craft a file with a malicious filename containing JavaScript that executes in the browser context of the user performing the upload, leading to reflected Cross-Site Scripting (XSS), which is a technique where malicious scripts are injected into otherwise trusted websites.

Recommendations Update to version 2.0.0.