Platform
php
Component
stirling-pdf
Fixed in
2.0.1
CVE-2026-33436 describes a reflected Cross-Site Scripting (XSS) vulnerability affecting Stirling-PDF versions 1.0.0 through 1.9.9. An attacker can exploit this flaw by crafting a malicious file with a specially crafted filename, which is then rendered directly into the HTML without proper sanitization. This allows the execution of arbitrary JavaScript in the context of the user uploading the file, potentially leading to session hijacking or defacement. Version 2.0.0 resolves this issue.
The primary impact of CVE-2026-33436 is the potential for reflected XSS attacks. An attacker could upload a file with a malicious filename containing JavaScript code. When a user views the uploaded file, the JavaScript code will execute within their browser context. This could allow the attacker to steal session cookies, redirect the user to a malicious website, or deface the application. Given Stirling-PDF's function as a PDF processing tool, successful exploitation could also lead to the exfiltration of sensitive data contained within the processed PDF files, depending on user permissions and application configuration. The blast radius is limited to users interacting with the vulnerable file upload endpoints.
CVE-2026-33436 was publicly disclosed on 2026-04-17. There are currently no known public proof-of-concept exploits available. The CVSS score of LOW indicates a relatively low probability of exploitation in the wild, but the ease of exploitation should still be considered a significant risk. This vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.05% (15% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33436 is to upgrade Stirling-PDF to version 2.0.0 or later, which contains the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing input validation and sanitization on all file upload endpoints to prevent the injection of malicious characters into the HTML output. Web Application Firewalls (WAFs) can be configured to detect and block requests containing suspicious filenames. Regularly review and update the application's security configuration to minimize the attack surface. After upgrading, confirm the fix by attempting to upload a file with a known malicious filename and verifying that the JavaScript code does not execute.
Update Stirling-PDF to version 2.0.0 or higher to mitigate the XSS vulnerability. This version corrects the insecure rendering of filenames in file upload functions, preventing the execution of malicious JavaScript code in the user's browser.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33436 is a reflected Cross-Site Scripting (XSS) vulnerability in Stirling-PDF versions 1.0.0 through 1.9.9, allowing malicious JavaScript execution via crafted filenames.
You are affected if you are using Stirling-PDF versions 1.0.0 through 1.9.9 and have file upload functionality. Upgrade to version 2.0.0 to mitigate the risk.
Upgrade Stirling-PDF to version 2.0.0 or later. Implement input validation and sanitization on file upload endpoints as a temporary workaround.
There are currently no confirmed reports of active exploitation in the wild, but the ease of exploitation warrants caution.
Refer to the Stirling-PDF project's official website or repository for the latest security advisories and release notes.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.