Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
An arbitrary file overwrite vulnerability in DeftPDF Document Translator v54.0 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure.
AnalysisAI
Arbitrary file overwrite in DeftPDF Document Translator v54.0 permits attackers to overwrite critical internal files through the file import mechanism, potentially enabling remote code execution or sensitive information exposure. The vulnerability affects DeftPDF Document Translator specifically at version 54.0 and is documented by academic researchers at Fudan University's security systems group. Attack complexity and authentication requirements cannot be definitively assessed due to missing CVSS vector data, though the file import process suggests user interaction may be required.
Technical ContextAI
The vulnerability resides in DeftPDF Document Translator's file import processing logic, which fails to properly validate or restrict file paths during document import operations. This path traversal or improper file handling vulnerability (root cause classification not explicitly provided in available data) allows attackers to specify arbitrary file paths as overwrite targets within the application's file handling routines. The underlying issue is a failure to implement adequate input validation or sandboxing on imported file destinations, permitting traversal beyond intended import directories. The academic disclosure by Secsys-FDU (Security Systems Group at Fudan University) indicates this was identified through systematic vulnerability research rather than opportunistic exploitation.
RemediationAI
Primary remediation requires upgrading DeftPDF Document Translator to a patched version released after v54.0; however, specific patched version numbers are not provided in the available data. Organizations should immediately contact DeftPDF (https://deftpdf.com/) to confirm patch availability and obtain the latest release. As an interim mitigation, restrict file import functionality to trusted users only, disable the import feature if operationally feasible, and monitor file system activity for unexpected modifications to critical application or system files. The academic vulnerability disclosure at https://github.com/Secsys-FDU/AF_CVEs/issues/22 may contain additional technical context or proof-of-concept details useful for validation of fixes. Do not deploy DeftPDF Document Translator v54.0 in new environments until a patched version is confirmed available.
Same weakness CWE-73 – External Control of File Name or Path
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17480