प्लेटफ़ॉर्म
php
घटक
stirling-pdf
में ठीक किया गया
2.0.1
CVE-2026-33436 describes a reflected Cross-Site Scripting (XSS) vulnerability affecting Stirling-PDF versions 1.0.0 through 1.9.9. An attacker can exploit this flaw by crafting a malicious file with a specially crafted filename, which is then rendered directly into the HTML without proper sanitization. This allows the execution of arbitrary JavaScript in the context of the user uploading the file, potentially leading to session hijacking or defacement. Version 2.0.0 resolves this issue.
The primary impact of CVE-2026-33436 is the potential for reflected XSS attacks. An attacker could upload a file with a malicious filename containing JavaScript code. When a user views the uploaded file, the JavaScript code will execute within their browser context. This could allow the attacker to steal session cookies, redirect the user to a malicious website, or deface the application. Given Stirling-PDF's function as a PDF processing tool, successful exploitation could also lead to the exfiltration of sensitive data contained within the processed PDF files, depending on user permissions and application configuration. The blast radius is limited to users interacting with the vulnerable file upload endpoints.
CVE-2026-33436 was publicly disclosed on 2026-04-17. There are currently no known public proof-of-concept exploits available. The CVSS score of LOW indicates a relatively low probability of exploitation in the wild, but the ease of exploitation should still be considered a significant risk. This vulnerability is not currently listed on the CISA KEV catalog.
Organizations using Stirling-PDF for local PDF processing, particularly those with user-facing file upload functionality, are at risk. Shared hosting environments where multiple users have access to the same Stirling-PDF instance are especially vulnerable, as a malicious file uploaded by one user could impact other users.
• php: Examine application logs for unusual file upload activity, specifically looking for filenames containing JavaScript code (e.g., <script>alert('XSS')</script>).
• generic web: Use curl to test file upload endpoints with malicious filenames and observe the response HTML for signs of JavaScript execution.
curl -X POST -F "file=@malicious_file.pdf" http://your-stirling-pdf-instance/upload.php• generic web: Inspect the source code of file upload handling functions for inadequate sanitization of filenames before rendering them in HTML.
disclosure
एक्सप्लॉइट स्थिति
EPSS
0.05% (15% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2026-33436 is to upgrade Stirling-PDF to version 2.0.0 or later, which contains the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing input validation and sanitization on all file upload endpoints to prevent the injection of malicious characters into the HTML output. Web Application Firewalls (WAFs) can be configured to detect and block requests containing suspicious filenames. Regularly review and update the application's security configuration to minimize the attack surface. After upgrading, confirm the fix by attempting to upload a file with a known malicious filename and verifying that the JavaScript code does not execute.
Actualice Stirling-PDF a la versión 2.0.0 o superior para mitigar la vulnerabilidad de XSS. Esta versión corrige el problema de renderizado inseguro de nombres de archivo en las funciones de carga de archivos, evitando la ejecución de código JavaScript malicioso en el navegador del usuario.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-33436 is a reflected Cross-Site Scripting (XSS) vulnerability in Stirling-PDF versions 1.0.0 through 1.9.9, allowing malicious JavaScript execution via crafted filenames.
You are affected if you are using Stirling-PDF versions 1.0.0 through 1.9.9 and have file upload functionality. Upgrade to version 2.0.0 to mitigate the risk.
Upgrade Stirling-PDF to version 2.0.0 or later. Implement input validation and sanitization on file upload endpoints as a temporary workaround.
There are currently no confirmed reports of active exploitation in the wild, but the ease of exploitation warrants caution.
Refer to the Stirling-PDF project's official website or repository for the latest security advisories and release notes.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।