Skip to main content

DeftPDF Document Translator CVE-2026-30276

| EUVDEUVD-2026-17480 CRITICAL
External Control of File Name or Path (CWE-73)
2026-03-31 mitre
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 31, 2026 - 16:00 euvd
EUVD-2026-17480
Analysis Generated
Mar 31, 2026 - 16:00 vuln.today
CVE Published
Mar 31, 2026 - 00:00 nvd
CRITICAL 9.8

DescriptionCVE.org

An arbitrary file overwrite vulnerability in DeftPDF Document Translator v54.0 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure.

AnalysisAI

Arbitrary file overwrite in DeftPDF Document Translator v54.0 permits attackers to overwrite critical internal files through the file import mechanism, potentially enabling remote code execution or sensitive information exposure. The vulnerability affects DeftPDF Document Translator specifically at version 54.0 and is documented by academic researchers at Fudan University's security systems group. Attack complexity and authentication requirements cannot be definitively assessed due to missing CVSS vector data, though the file import process suggests user interaction may be required.

Technical ContextAI

The vulnerability resides in DeftPDF Document Translator's file import processing logic, which fails to properly validate or restrict file paths during document import operations. This path traversal or improper file handling vulnerability (root cause classification not explicitly provided in available data) allows attackers to specify arbitrary file paths as overwrite targets within the application's file handling routines. The underlying issue is a failure to implement adequate input validation or sandboxing on imported file destinations, permitting traversal beyond intended import directories. The academic disclosure by Secsys-FDU (Security Systems Group at Fudan University) indicates this was identified through systematic vulnerability research rather than opportunistic exploitation.

RemediationAI

Primary remediation requires upgrading DeftPDF Document Translator to a patched version released after v54.0; however, specific patched version numbers are not provided in the available data. Organizations should immediately contact DeftPDF (https://deftpdf.com/) to confirm patch availability and obtain the latest release. As an interim mitigation, restrict file import functionality to trusted users only, disable the import feature if operationally feasible, and monitor file system activity for unexpected modifications to critical application or system files. The academic vulnerability disclosure at https://github.com/Secsys-FDU/AF_CVEs/issues/22 may contain additional technical context or proof-of-concept details useful for validation of fixes. Do not deploy DeftPDF Document Translator v54.0 in new environments until a patched version is confirmed available.

Share

CVE-2026-30276 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy