TROYANOSYVIRUS
Zuruck zu CVEs

CVE-2026-23907

MEDIUM
5.3

Beschreibung

This issue affects the ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.35, from 3.0.0 through 3.0.6. The ExtractEmbeddedFiles example contains a path traversal vulnerability (CWE-22) because the filename that is obtained from PDComplexFileSpecification.getFilename() is appended to the extraction path. Users who have copied this example into their production code should review it to ensure that the extraction path is acceptable. The example has been changed accordingly, now the initial path and the extraction paths are converted into canonical paths and it is verified that extraction path contains the initial path. The documentation has also been adjusted.

CVE Details

CVSS v3.1 Bewertung5.3
SchweregradMEDIUM
CVSS VektorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
AngriffsvektorNETWORK
KomplexitatLOW
Erforderliche PrivilegienNONE
BenutzerinteraktionNONE
Veroffentlicht3/10/2026
Zuletzt geandert3/13/2026
Quellenvd
Honeypot-Sichtungen0

Betroffene Produkte

apache:pdfbox

Schwachen (CWE)

CWE-22

Referenzen

https://github.com/JoakimBulow/(security@apache.org)
https://lists.apache.org/thread/gyfq5tcrxfv7rx0z2yyx4hb3h53ndffw(security@apache.org)
http://www.openwall.com/lists/oss-security/2026/03/10/1(af854a3a-2127-422b-91ae-364da2661108)

IOC Korrelationen

Keine Korrelationen erfasst

This product uses data from the NVD API but is not endorsed or certified by the NVD.