CVE-2026-23907

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-23907
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23907.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-23907
Aliases
Downstream
Published
2026-03-10T18:18:16.960Z
Modified
2026-04-10T05:40:45.227094Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
[none]
Details

This issue affects the ExtractEmbeddedFiles example inĀ Apache PDFBox: from 2.0.24 through 2.0.35, from 3.0.0 through 3.0.6.

The ExtractEmbeddedFiles example contains a path traversal vulnerability (CWE-22) because the filename that is obtained from PDComplexFileSpecification.getFilename() is appended to the extraction path.

Users who have copied this example into their production code should review it to ensure that the extraction path is acceptable. The example has been changed accordingly, now the initial path and the extraction paths are converted into canonical paths and it is verified that extraction path contains the initial path. The documentation has also been adjusted.

References

Affected packages

Git / github.com/apache/pdfbox

Affected ranges

Type
GIT
Repo
https://github.com/apache/pdfbox
Events
Introduced
8876e8e1a0adbf619cef4638cc3cea073e3ca484
Last affected
110936c8738a0ead824f347e8ec8c2efb10c9335
Introduced
47e7cff248d0ac17b7c03d9eb208e34a5c00bc42
Last affected
928581dc0cd44b0b8b3a83f74d223049db69844d
Database specific 
{
    "versions": [
        {
            "introduced": "2.0.24"
        },
        {
            "last_affected": "2.0.35"
        },
        {
            "introduced": "3.0.0"
        },
        {
            "last_affected": "3.0.7"
        }
    ]
}

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23907.json"