Vulnerability Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache PDFBox Examples. This issue affects the ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.36, from 3.0.0 through 3.0.7. Users are recommended to update to version 2.0.37 or 3.0.8 once available. Until then, they should apply the fix provided in GitHub PR 427. The ExtractEmbeddedFiles example contained a path traversal vulnerability (CWE-22) mentioned in CVE-2026-23907. However the change in the releases 2.0.36 and 3.0.7 is flawed because it doesn't consider the file path separator. Because of that, a user having writing rights on /home/ABC could be victim to a malicious PDF resulting in a write attempt to any path starting with /home/ABC, e.g. "/home/ABCDEF". Users who have copied this example into their production code should apply the mentioned change. The example has been changed accordingly and is available in the project repository.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Pdfbox | >= 2.0.24, < 2.0.37 |
Related Weaknesses (CWE)
References
- https://github.com/apache/pdfbox/pull/427/changesPatch
- https://lists.apache.org/thread/j8l07tgzy9dm8d8n0f3c45h7zg7t3ld6Mailing ListVendor Advisory
- https://lists.apache.org/thread/op3lyx1ngzy4qycn06l6hljyf28ff0zsMailing List
FAQ
What is CVE-2026-33929?
CVE-2026-33929 is a vulnerability with a CVSS score of 4.3 (MEDIUM). Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache PDFBox Examples. This issue affects the ExtractEmbeddedFiles example in Apache PDFBox: from 2.0...
How severe is CVE-2026-33929?
CVE-2026-33929 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-33929?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Pdfbox.