{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33929", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-03-24T17:06:35.279Z", "datePublished": "2026-04-14T08:09:39.517Z", "dateUpdated": "2026-04-14T08:09:39.517Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "org.apache.pdfbox:pdfbox-examples", "product": "Apache PDFBox Examples", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "2.0.36", "status": "affected", "version": "2.0.24", "versionType": "semver"}, {"lessThanOrEqual": "3.0.7", "status": "affected", "version": "3.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Kaixuan Li"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache PDFBox Examples.</p><p>This issue affects the \nExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.36, from 3.0.0 through 3.0.7.</p><p>\nUsers are recommended to update to version 2.0.37 or 3.0.8 once \navailable. Until then, they should apply the fix provided in GitHub PR \n427.</p><p>The ExtractEmbeddedFiles example contained a path traversal vulnerability (CWE-22) mentioned in CVE-2026-23907. However the change in the releases 2.0.36 and 3.0.7 is flawed because it doesn't consider the file path separator. Because of that, a user having writing rights on /home/ABC could be victim to a malicious PDF resulting in a write attempt to any path starting with&nbsp;/home/ABC, e.g.&nbsp;\"/home/ABCDEF\".</p><p>Users who have copied this example into their production code should apply the mentioned change. The example \nhas been changed accordingly and is available in the project repository.</p>"}], "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache PDFBox Examples.\n\nThis issue affects the \nExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.36, from 3.0.0 through 3.0.7.\n\n\nUsers are recommended to update to version 2.0.37 or 3.0.8 once \navailable. Until then, they should apply the fix provided in GitHub PR \n427.\n\nThe ExtractEmbeddedFiles example contained a path traversal vulnerability (CWE-22) mentioned in CVE-2026-23907. However the change in the releases 2.0.36 and 3.0.7 is flawed because it doesn't consider the file path separator. Because of that, a user having writing rights on /home/ABC could be victim to a malicious PDF resulting in a write attempt to any path starting with\u00a0/home/ABC, e.g.\u00a0\"/home/ABCDEF\".\n\nUsers who have copied this example into their production code should apply the mentioned change. The example \nhas been changed accordingly and is available in the project repository."}], "metrics": [{"other": {"content": {"text": "low"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-14T08:09:39.517Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/apache/pdfbox/pull/427/changes"}, {"tags": ["mailing-list"], "url": "https://lists.apache.org/thread/op3lyx1ngzy4qycn06l6hljyf28ff0zs"}, {"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/j8l07tgzy9dm8d8n0f3c45h7zg7t3ld6"}], "source": {"defect": ["PDFBOX-6180"], "discovery": "EXTERNAL"}, "title": "Apache PDFBox Examples: Path Traversal in PDFBox ExtractEmbeddedFiles Example Code", "x_generator": {"engine": "Vulnogram 0.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache PDFBox Examples.\n\nThis issue affects the \nExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.36, from 3.0.0 through 3.0.7.\n\n\nUsers are recommended to update to version 2.0.37 or 3.0.8 once \navailable. Until then, they should apply the fix provided in GitHub PR \n427.\n\nThe ExtractEmbeddedFiles example contained a path traversal vulnerability (CWE-22) mentioned in CVE-2026-23907. However the change in the releases 2.0.36 and 3.0.7 is flawed because it doesn't consider the file path separator. Because of that, a user having writing rights on /home/ABC could be victim to a malicious PDF resulting in a write attempt to any path starting with\u00a0/home/ABC, e.g.\u00a0\"/home/ABCDEF\".\n\nUsers who have copied this example into their production code should apply the mentioned change. The example \nhas been changed accordingly and is available in the project repository."}], "id": "CVE-2026-33929", "lastModified": "2026-04-14T09:16:36.297", "metrics": {}, "published": "2026-04-14T09:16:36.297", "references": [{"source": "security@apache.org", "url": "https://github.com/apache/pdfbox/pull/427/changes"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread/j8l07tgzy9dm8d8n0f3c45h7zg7t3ld6"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread/op3lyx1ngzy4qycn06l6hljyf28ff0zs"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security@apache.org", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.24,2.0.36]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.0.0,3.0.7]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Apache PDFBox Examples", "source": "cna", "vendor": "Apache Software Foundation"}, "product": "pdfbox_examples", "vendor": "apache"}], "analysis": {"en": {"generated_at": "2026-04-14T09:20:33.649033+00:00", "value": {"mitigation_remediation": ["Update to Apache PDFBox 2.0.37 or 3.0.8 once released.", "If an update is not yet available, apply the fix from GitHub pull request 427 to the example code.", "Replace any local copy of the ExtractEmbeddedFiles example with the corrected version from the repository.", "Verify that the application only accesses files within intended directories and adjust file\u2011system permissions to restrict the example\u2019s write scope."], "summary": {"action": "Immediate update", "impact": "Path traversal leading to arbitrary file write"}, "threat_synthesis": {"affected_systems": "The issue affects users who have incorporated the ExtractEmbeddedFiles example from Apache PDFBox. Apache PDFBox Versions 2.0.24 through 2.0.36 and 3.0.0 through 3.0.7 are impacted. The example is maintained by the Apache Software Foundation under the PDFBox Examples project.", "description_and_impact": "Improper limitation of a pathname to a restricted directory has been found in the ExtractEmbeddedFiles example of Apache PDFBox. The flaw allows a malicious PDF file to direct the example code to write to any location that begins with the user\u2019s home directory, such as /home/ABCDEF when the example runs with writing rights on /home/ABC. This can result in the creation or modification of files outside the intended sandbox, compromising confidentiality, integrity, or availability.", "risk_and_exploitability": "The CVSS score is not provided, but the vulnerability is a typical CWE-22 path traversal that permits arbitrary file write when the example runs with file\u2011system write permissions. The EPSS score is not available and the vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack vector is a local user running the example or a service that incorporates the example in its code base. Exploit would require a crafted PDF containing a malicious embedded file name that attempts to climb out of the expected directory."}}}}, "created": "2026-04-14T16:15:46.969133+00:00", "updated": "2026-04-14T16:30:43.839816+00:00", "vendors": ["apache", "apache$PRODUCT$pdfbox_examples"]}