Skip to main content

Stirling Pdf CVE-2026-33438

| EUVD-2026-16262 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-03-26 GitHub_M
Denial Of Service Stirling Pdf
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
2.5.2
EUVD ID Assigned
Mar 26, 2026 - 17:15 euvd
EUVD-2026-16262
Analysis Generated
Mar 26, 2026 - 17:15 vuln.today
CVE Published
Mar 26, 2026 - 16:58 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

Stirling-PDF is a locally hosted web application that allows you to perform various operations on PDF files. Versions starting in 2.1.5 and prior to 2.5.2 have Denial of Service (DoS) vulnerability in the Stirling-PDF watermark functionality (/api/v1/security/add-watermark endpoint). The vulnerability allows authenticated users to cause resource exhaustion and server crashes by providing extreme values for the fontSize and widthSpacer parameters. Version 2.5.2 patches the issue.

AnalysisAI

Stirling-PDF versions 2.1.5 through 2.5.1 are vulnerable to resource exhaustion denial of service through the watermark API endpoint, where authenticated users can supply extreme values for fontSize and widthSpacer parameters to crash the server. A proof-of-concept exists according to SSVC data, and the vendor has released patched version 2.5.2 to resolve the issue.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment The CVSS v3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H yields a score of 6.5, indicating Medium to High severity with network accessibility, low attack complexity, and requirement for low-level authentication privileges. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated user with valid credentials to a Stirling-PDF instance crafts a POST request to /api/v1/security/add-watermark with fontSize and widthSpacer parameters set to extremely large values (e.g., Integer.MAX_VALUE or equivalent), causing the rendering engine to allocate excessive memory and CPU cycles in an attempt to render the watermark. The server exhausts available resources, becomes unresponsive, and crashes, disrupting PDF processing for all users. …
Remediation Upgrade Stirling-PDF to version 2.5.2 or later, which contains the vendor-released patch resolving the resource exhaustion vulnerability in the watermark endpoint. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 30 days: Identify affected systems running 2.1.5 and and apply vendor patches as part of regular patch cycle. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-33438 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy