Skip to main content

Apache EUVDEUVD-2026-22229

| CVE-2026-33929 MEDIUM
Path Traversal (CWE-22)
2026-04-14 apache GHSA-gcj8-76p4-g2fq
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
SUSE
MEDIUM
qualitative
Red Hat
6.6 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

6
Analysis Generated
Apr 14, 2026 - 22:35 vuln.today
CVSS changed
Apr 14, 2026 - 20:22 NVD
4.3 (MEDIUM)
EUVD ID Assigned
Apr 14, 2026 - 08:30 euvd
EUVD-2026-22229
Analysis Generated
Apr 14, 2026 - 08:30 vuln.today
Patch released
Apr 14, 2026 - 08:30 nvd
Patch available
CVE Published
Apr 14, 2026 - 08:09 nvd
MEDIUM 4.3

DescriptionCVE.org

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache PDFBox Examples.

This issue affects the ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.36, from 3.0.0 through 3.0.7.

Users are recommended to update to version 2.0.37 or 3.0.8 once available. Until then, they should apply the fix provided in GitHub PR 427.

The ExtractEmbeddedFiles example contained a path traversal vulnerability (CWE-22) mentioned in CVE-2026-23907. However the change in the releases 2.0.36 and 3.0.7 is flawed because it doesn't consider the file path separator. Because of that, a user having writing rights on /home/ABC could be victim to a malicious PDF resulting in a write attempt to any path starting with /home/ABC, e.g. "/home/ABCDEF".

Users who have copied this example into their production code should apply the mentioned change. The example has been changed accordingly and is available in the project repository.

AnalysisAI

Path traversal vulnerability in Apache PDFBox Examples ExtractEmbeddedFiles tool allows authenticated local users to write files outside intended directories via malicious PDF files when the initial path traversal fix fails to properly validate file path separators. Affects PDFBox 2.0.24-2.0.36 and 3.0.0-3.0.7; CVSS 4.3 with low exploitability (EPSS 0.02%, SSVC automation: no). Patch versions 2.0.37 and 3.0.8 address the issue.

Technical ContextAI

Apache PDFBox is a Java library for creating and manipulating PDF documents. The ExtractEmbeddedFiles example demonstrates PDF embedded file extraction. The vulnerability stems from CWE-22 (Path Traversal), where an incomplete fix for a prior path traversal vulnerability (CVE-2026-23907) failed to account for filesystem path separators. The flaw allows a user with write permissions on a base directory (e.g., /home/ABC) to be targeted by a crafted PDF that attempts writes to paths starting with that prefix but extending into unintended subdirectories (e.g., /home/ABCDEF). This is a secondary-order vulnerability resulting from insufficient validation logic in path normalization code within the example application.

RemediationAI

Upgrade to Apache PDFBox Examples 2.0.37 or 3.0.8 once released by the Apache Software Foundation. Until patched versions are available, apply the path separator validation fix provided in GitHub PR #427 (https://github.com/apache/pdfbox/pull/427/changes) to any production code that includes a copy of the ExtractEmbeddedFiles example. The fix ensures that file path validation properly checks for filesystem path separator boundaries when canonicalizing extracted file paths, preventing writes to sibling or ancestor directories. Consult the Apache mailing list advisory (https://lists.apache.org/thread/j8l07tgzy9dm8d8n0f3c45h7zg7t3ld6) for deployment guidance.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Development Tools 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed

Share

EUVD-2026-22229 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy