CVE-2026-40505

| EUVD-2026-23147 MEDIUM
2026-04-16 VulnCheck GHSA-hj44-m5xv-x75q
RCE
4.8
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Severity Changed
Apr 16, 2026 - 02:34 NVD
LOW MEDIUM
CVSS Changed
Apr 16, 2026 - 02:34 NVD
3.3 (LOW) 4.8 (MEDIUM)
Analysis Generated
Apr 16, 2026 - 01:49 vuln.today

DescriptionNVD

MuPDF mutool does not sanitize PDF metadata fields before writing them to terminal output, allowing attackers to inject arbitrary ANSI escape sequences through crafted PDF metadata. Attackers can embed malicious ANSI escape codes in PDF metadata that are passed unsanitized to the terminal when running mutool info, enabling them to clear the terminal display and render arbitrary text for social engineering attacks such as presenting fake prompts or spoofed commands.

AnalysisAI

MuPDF mutool fails to sanitize PDF metadata before displaying it in terminal output, allowing local attackers to inject ANSI escape sequences through crafted PDF files. When a user runs mutool info on a malicious PDF, embedded escape codes can clear the terminal and display fabricated text for social engineering attacks such as fake login prompts or spoofed shell commands. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-40505 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy