CVE-2026-33438

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-33438

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33438.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-33438

Aliases

GHSA-3932-2rfq-87xm

Published

2026-03-26T16:58:07.485Z

Modified

2026-04-12T20:14:10.836202Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Stirling-PDF vulnerable to DoS via add-watermark

Details

Stirling-PDF is a locally hosted web application that allows you to perform various operations on PDF files. Versions starting in 2.1.5 and prior to 2.5.2 have Denial of Service (DoS) vulnerability in the Stirling-PDF watermark functionality (/api/v1/security/add-watermark endpoint). The vulnerability allows authenticated users to cause resource exhaustion and server crashes by providing extreme values for the fontSize and widthSpacer parameters. Version 2.5.2 patches the issue.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33438.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-770"
    ]
}

References

Affected packages

Git / github.com/stirling-tools/stirling-pdf

Affected ranges

Type

GIT

Repo

https://github.com/stirling-tools/stirling-pdf

Events

Introduced

a1317f0e0119a94dbf789f72f65f6ab93510403b

Fixed

7631b222bde7f04e8b591c3566017c5315df896d

Database specific

{
    "versions": [
        {
            "introduced": "2.1.5"
        },
        {
            "fixed": "2.5.2"
        }
    ]
}

Affected versions

v2.*

v2.1.5

v2.2.0

v2.2.1

v2.3.0

v2.3.1

v2.4.0

v2.4.1

v2.4.2

v2.4.3

v2.4.4

v2.4.5

v2.4.6

v2.5.0

v2.5.1

Database specific

vanir_signatures_modified

"2026-04-12T20:14:10Z"

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33438.json"

vanir_signatures

[
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "204950583018872886892143125084184862389",
                "62540230431282765624811505592326250692",
                "302033695544518156920303292527690209877",
                "141103952741586010867327455456373619714"
            ]
        },
        "target": {
            "file": "app/core/src/main/java/stirling/software/SPDF/controller/api/security/WatermarkController.java"
        },
        "signature_type": "Line",
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2026-33438-a79b885c",
        "source": "https://github.com/stirling-tools/stirling-pdf/commit/7631b222bde7f04e8b591c3566017c5315df896d"
    }
]