Platform
java
Component
org.apache.pdfbox:pdfbox-examples
Fixed in
2.0.37
3.0.8
2.0.37
CVE-2026-33929 describes a Path Traversal vulnerability found in the Apache PDFBox Examples component. This flaw allows attackers to potentially access arbitrary files on the system. The vulnerability impacts versions of Apache PDFBox Examples up to and including 2.0.36 and 3.0.7. Users are advised to upgrade to version 2.0.37 or 3.0.8 once available, or apply the provided fix.
The Path Traversal vulnerability in Apache PDFBox Examples allows an attacker to bypass intended access restrictions and read files outside of the intended directory. Specifically, the ExtractEmbeddedFiles example is susceptible. An attacker could craft a malicious PDF document and leverage this vulnerability to read sensitive files from the server's file system. The potential impact includes exposure of configuration files, source code, or other confidential data. This vulnerability is similar in nature to other path traversal flaws, where improper input validation leads to unauthorized file access.
CVE-2026-33929 was published on 2026-04-14. It is related to CVE-2026-23907, indicating a shared root cause. No public proof-of-concept (PoC) code has been publicly released as of the publication date. The EPSS score is pending evaluation. Active exploitation is not currently confirmed.
Exploit Status
EPSS
0.04% (12% percentile)
CVSS Vector
The primary mitigation for CVE-2026-33929 is to upgrade to version 2.0.37 or 3.0.8 of Apache PDFBox Examples. If upgrading is not immediately feasible, apply the fix provided in GitHub Pull Request 427. This PR addresses the flawed logic in the previous release attempts. As a temporary workaround, restrict access to the ExtractEmbeddedFiles example and carefully validate any user-supplied input related to file paths. Consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious path traversal patterns.
Update to version 2.0.37 or 3.0.8 once they are available. If that is not possible, apply the fix provided in GitHub PR 427 (https://github.com/apache/pdfbox/pull/427/changes) to mitigate the path traversal vulnerability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33929 is a Path Traversal vulnerability affecting Apache PDFBox Examples versions up to 2.0.36 and 3.0.7, allowing attackers to potentially access arbitrary files.
If you are using Apache PDFBox Examples versions 2.0.24 through 2.0.36 or 3.0.0 through 3.0.7, you are potentially affected by this vulnerability.
Upgrade to version 2.0.37 or 3.0.8. If upgrading is not possible, apply the fix provided in GitHub PR 427.
As of the publication date, active exploitation of CVE-2026-33929 has not been confirmed.
Refer to the Apache PDFBox project website and GitHub repository for updates and advisories related to CVE-2026-33929.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.