Skip to main content

Stirling-PDF CVE-2026-41580

| EUVDEUVD-2026-44691 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-15 GitHub_M
6.1
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
6.1 MEDIUM

Network-reachable endpoint, no attacker auth required per description, but victim must actively view the info page (UI:R); scope changes because injected script executes in the application's browser origin with limited C/I impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch available
Jul 15, 2026 - 17:48 EUVD
Source Code Evidence Fetched
Jul 15, 2026 - 15:46 vuln.today
Analysis Generated
Jul 15, 2026 - 15:46 vuln.today

DescriptionCVE.org

Stirling-PDF is a locally hosted web application that facilitates various operations on PDF files. Prior to 2.0.0, Stirling-PDF's /get-info-on-pdf endpoint rendered PDF Title and Author metadata fields without proper HTML encoding or sanitization, allowing a crafted PDF to execute attacker-controlled JavaScript in the browser of a user who views the resulting page. This issue is fixed in version 2.0.0.

AnalysisAI

Stored cross-site scripting in Stirling-PDF's /get-info-on-pdf endpoint allows attacker-controlled JavaScript to execute in any user's browser when they view metadata of a crafted PDF file. All versions prior to 2.0.0 are affected; the CVSS scope change (S:C) indicates injected scripts operate within the application's browser origin, enabling session hijacking or unauthorized actions. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Upload PDF with XSS payload in Title/Author metadata
Delivery
Victim navigates to /get-info-on-pdf endpoint
Exploit
Unencoded metadata reflected into HTML response
Execution
Injected JavaScript executes in victim's browser within Stirling-PDF origin
Impact
Session tokens or user actions exfiltrated to attacker

Vulnerability AssessmentAI

Exploitation Exploitation requires two sequential conditions: first, the attacker must be able to submit a crafted PDF with JavaScript embedded in the Title or Author metadata fields to the Stirling-PDF instance (via the upload interface or API); second, a victim user must navigate to the /get-info-on-pdf endpoint to view that file's metadata. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.1 Medium rating reflects AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - network-reachable, low complexity, no attacker authentication required, but user interaction is necessary. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker uploads a crafted PDF to a Stirling-PDF instance where the file's Title or Author metadata contains a JavaScript payload such as a cookie-stealing script. When a second user navigates to the /get-info-on-pdf endpoint to inspect that file, the unencoded metadata renders in their browser and the script executes within the Stirling-PDF application origin, exfiltrating session tokens or forging requests on the victim's behalf.
Remediation Upgrade to Stirling-PDF version 2.0.0, which resolves this issue per the GitHub security advisory GHSA-rjjx-43g5-mp76 (https://github.com/Stirling-Tools/Stirling-PDF/security/advisories/GHSA-rjjx-43g5-mp76). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-41580 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy