Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Network-reachable endpoint, no attacker auth required per description, but victim must actively view the info page (UI:R); scope changes because injected script executes in the application's browser origin with limited C/I impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Stirling-PDF is a locally hosted web application that facilitates various operations on PDF files. Prior to 2.0.0, Stirling-PDF's /get-info-on-pdf endpoint rendered PDF Title and Author metadata fields without proper HTML encoding or sanitization, allowing a crafted PDF to execute attacker-controlled JavaScript in the browser of a user who views the resulting page. This issue is fixed in version 2.0.0.
AnalysisAI
Stored cross-site scripting in Stirling-PDF's /get-info-on-pdf endpoint allows attacker-controlled JavaScript to execute in any user's browser when they view metadata of a crafted PDF file. All versions prior to 2.0.0 are affected; the CVSS scope change (S:C) indicates injected scripts operate within the application's browser origin, enabling session hijacking or unauthorized actions. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two sequential conditions: first, the attacker must be able to submit a crafted PDF with JavaScript embedded in the Title or Author metadata fields to the Stirling-PDF instance (via the upload interface or API); second, a victim user must navigate to the /get-info-on-pdf endpoint to view that file's metadata. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 6.1 Medium rating reflects AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - network-reachable, low complexity, no attacker authentication required, but user interaction is necessary. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker uploads a crafted PDF to a Stirling-PDF instance where the file's Title or Author metadata contains a JavaScript payload such as a cookie-stealing script. When a second user navigates to the /get-info-on-pdf endpoint to inspect that file, the unencoded metadata renders in their browser and the script executes within the Stirling-PDF application origin, exfiltrating session tokens or forging requests on the victim's behalf. |
| Remediation | Upgrade to Stirling-PDF version 2.0.0, which resolves this issue per the GitHub security advisory GHSA-rjjx-43g5-mp76 (https://github.com/Stirling-Tools/Stirling-PDF/security/advisories/GHSA-rjjx-43g5-mp76). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Stirling Pdf
View allStirling-PDF is a locally hosted web application that performs various operations on PDF files. Rated high severity (CVS
Stirling-PDF is a locally hosted web application that performs various operations on PDF files. Rated high severity (CVS
Stirling-PDF is a locally hosted web application that allows you to perform various operations on PDF files. Rated high
Stirling-PDF, a locally hosted web application for PDF operations, contains a path traversal vulnerability in the /api/v
Stirling-PDF versions 2.1.5 through 2.5.1 are vulnerable to resource exhaustion denial of service through the watermark
A vulnerability was found in Stirling-Tools Stirling-PDF up to 0.28.3. Rated low severity (CVSS 2.3), this vulnerability
Stirling-PDF version 2.7.3 fails to sanitize HTML content from email bodies in the /api/v1/convert/eml/pdf endpoint when
Reflected cross-site scripting (XSS) in Stirling-PDF versions before 2.0.0 allows unauthenticated remote attackers to ex
Stirling-PDF is a locally hosted web application that performs various operations on PDF files. Rated high severity (CVS
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44691