Is there a patch available for CVE-2026-40505?

Yes, a patch is available for CVE-2026-40505. Update the affected software to the latest version immediately.

Mupdf CVE-2026-40505

Q: What is the CVSS score of CVE-2026-40505?

CVE-2026-40505 has a CVSS 4.0 base score of 4.8 (Medium). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-23147 MEDIUM

Improper Neutralization of Escape, Meta, or Control Sequences (CWE-150)

2026-04-16 VulnCheck

GHSA-hj44-m5xv-x75q

RCE Mupdf

4.8

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

4.8 MEDIUM

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

SUSE

3.3 LOW

AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Severity Changed

Apr 16, 2026 - 02:34 NVD

LOW MEDIUM

CVSS changed

Apr 16, 2026 - 02:34 NVD

3.3 (LOW) 4.8 (MEDIUM)

Analysis Generated

Apr 16, 2026 - 01:49 vuln.today

EUVD ID Assigned

Apr 16, 2026 - 01:45 euvd

EUVD-2026-23147

Analysis Generated

Apr 16, 2026 - 01:45 vuln.today

Patch released

Apr 16, 2026 - 01:45 nvd

Patch available

CVE Published

Apr 16, 2026 - 01:20 nvd

MEDIUM 4.8

DescriptionCVE.org

MuPDF mutool does not sanitize PDF metadata fields before writing them to terminal output, allowing attackers to inject arbitrary ANSI escape sequences through crafted PDF metadata. Attackers can embed malicious ANSI escape codes in PDF metadata that are passed unsanitized to the terminal when running mutool info, enabling them to clear the terminal display and render arbitrary text for social engineering attacks such as presenting fake prompts or spoofed commands.

AnalysisAI

MuPDF mutool fails to sanitize PDF metadata before displaying it in terminal output, allowing local attackers to inject ANSI escape sequences through crafted PDF files. When a user runs mutool info on a malicious PDF, embedded escape codes can clear the terminal and display fabricated text for social engineering attacks such as fake login prompts or spoofed shell commands. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Attacker crafts PDF with malicious metadata

Delivery

Attacker distributes PDF to target user

Exploit

User executes mutool info on PDF

Install

Mutool outputs unsanitized metadata to terminal

ANSI sequences execute in terminal

Execute

Terminal display is manipulated

Impact

User is socially engineered to enter credentials or execute commands

Recon

Attacker crafts PDF with malicious metadata

Delivery

Attacker distributes PDF to target user

Exploit

User executes mutool info on PDF

Install

Mutool outputs unsanitized metadata to terminal

ANSI sequences execute in terminal

Execute

Terminal display is manipulated

Impact

User is socially engineered to enter credentials or execute commands

Vulnerability AssessmentAI

Exploitation	The vulnerability requires the following specific conditions: the user must execute mutool info (or a similar mutool command that outputs metadata) on an attacker-supplied PDF file containing malicious ANSI escape sequences in metadata fields. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 3.3 score reflects low severity with low-risk attack parameters: local access vector (AV:L), low complexity (AC:L), no privileges required (PR:N), but mandatory user interaction (UI:R) and limited impact (only integrity; no confidentiality or availability). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker creates a PDF with a crafted Title metadata field containing ANSI escape codes, such as \033[2J (clear screen) followed by fake text resembling a login prompt. The attacker distributes this PDF via email or file sharing. …
Remediation	Update MuPDF to a version incorporating commit 0f17d789fe8c29b41e47663be82514aaca3a4dfb or later. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Low

CVE-2026-40505 vulnerability details – vuln.today

Back

Mupdf CVE-2026-40505

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code