Plattform
php
Komponente
stirling-pdf
Behoben in
2.0.1
CVE-2026-33436 describes a reflected Cross-Site Scripting (XSS) vulnerability affecting Stirling-PDF versions 1.0.0 through 1.9.9. This vulnerability allows attackers to inject malicious JavaScript code into the application via specially crafted filenames during file uploads. Successful exploitation can lead to the execution of arbitrary code within the context of the uploading user's browser, potentially compromising sensitive data or session information. Version 2.0.0 resolves this issue.
The primary impact of CVE-2026-33436 is the potential for reflected XSS attacks. An attacker could craft a malicious PDF file with a filename containing JavaScript code. When a user uploads this file through a vulnerable Stirling-PDF endpoint, the filename is rendered directly into the HTML output without proper sanitization. This allows the embedded JavaScript to execute within the user's browser, granting the attacker the ability to steal cookies, redirect the user to a malicious website, or deface the application. The blast radius is limited to users who interact with the vulnerable upload functionality, but the impact on individual users can be significant.
CVE-2026-33436 was publicly disclosed on 2026-04-17. No public proof-of-concept (POC) code has been identified at the time of writing. The CVSS score is LOW, indicating a relatively low probability of exploitation in the absence of a readily available exploit. It is not currently listed on the CISA KEV catalog.
Organizations using Stirling-PDF for local PDF processing, particularly those with user-facing file upload functionality, are at risk. Shared hosting environments where multiple users have access to the same Stirling-PDF instance are especially vulnerable, as a malicious file uploaded by one user could impact other users.
• php: Examine application logs for unusual file upload activity, specifically looking for filenames containing JavaScript code (e.g., <script>alert('XSS')</script>).
• generic web: Use curl to test file upload endpoints with malicious filenames and observe the response HTML for signs of JavaScript execution.
curl -X POST -F "file=@malicious_file.pdf" http://your-stirling-pdf-instance/upload.php• generic web: Inspect the source code of file upload handling functions for inadequate sanitization of filenames before rendering them in HTML.
disclosure
Exploit-Status
EPSS
0.05% (15% Perzentil)
CISA SSVC
CVSS-Vektor
The recommended mitigation for CVE-2026-33436 is to immediately upgrade Stirling-PDF to version 2.0.0 or later, which includes a fix for the vulnerability. If upgrading is not immediately feasible, consider implementing input validation and sanitization on all file upload endpoints to prevent the injection of malicious characters. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Review and audit all file upload processes to ensure proper sanitization techniques are employed.
Aktualisieren Sie Stirling-PDF auf Version 2.0.0 oder höher, um die XSS-Schwachstelle zu beheben. Diese Version behebt das Problem der unsicheren Darstellung von Dateinamen in den Dateiupload-Funktionen und verhindert so die Ausführung von bösartigem JavaScript-Code im Browser des Benutzers.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-33436 is a reflected Cross-Site Scripting (XSS) vulnerability in Stirling-PDF versions 1.0.0 through 1.9.9, allowing malicious JavaScript execution via crafted filenames.
You are affected if you are using Stirling-PDF versions 1.0.0 through 1.9.9 and have file upload functionality. Upgrade to version 2.0.0 to mitigate the risk.
Upgrade Stirling-PDF to version 2.0.0 or later. Implement input validation and sanitization on file upload endpoints as a temporary workaround.
There are currently no confirmed reports of active exploitation in the wild, but the ease of exploitation warrants caution.
Refer to the Stirling-PDF project's official website or repository for the latest security advisories and release notes.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.