CVE-2026-23907 - Vulnerability Analysis
MediumCVSS: 5.3Last Updated: March 11, 2026
Apache PDFBox - Path Traversal
Published: March 10, 2026Updated: March 11, 2026PoC AvailableRemote Exploitable
Overview
Apache PDFBox ExtractEmbeddedFiles example 2.0.24 through 2.0.35 and 3.0.0 through 3.0.6 contains a path traversal caused by appending filenames from PDComplexFileSpecification.getFilename() to extraction paths, letting attackers write files outside intended directories, exploit requires crafted file input.
Severity & Score
Severity: Medium
CVSS Score: 5.3
Impact
Attackers can write files outside intended directories, potentially overwriting critical files or executing arbitrary code.
Mitigation
Update to a version later than 2.0.35 or 3.0.6 where the extraction path is properly validated.
References
Related Resources
Details
- CVE ID
- CVE-2026-23907
- Severity
- Medium
- CVSS Score
- 5.3
- Type
- path_traversal
- Status
- unconfirmed
CWE
- CWE-22
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N