Reflected XSS Vulnerability in Stirling-PDF Web Application
CVE-2026-33436

3.1LOW

Key Information:

Vendor: Stirling-tools
Status: Stirling-PDF
Vendor: CVE Published:; 17 April 2026

🔔 Create Stirling-tools Vulnerability Alert

What is CVE-2026-33436?

Stirling-PDF, a web application for managing PDF files, is vulnerable to reflected XSS attacks in versions prior to 2.0.0. The file upload functionality fails to properly sanitize user-supplied filenames, allowing an attacker to inject malicious JavaScript code. This code is executed in the browser context of users who upload such files, leading to potential data theft or session hijacking. Protecting against this vulnerability requires upgrading to version 2.0.0, which addresses the file upload security flaws by implementing proper sanitization methods.

Affected Version(s)

Stirling-PDF < 2.0.0

References

https://github.com/Stirling-Tools/Stirling-PDF/security/a...

x_refsource_CONFIRM

CVSS V3.1

Score:

3.1

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 17, 2026
Vulnerability Reserved
Mar 19, 2026

CVE-2026-33436 Data

JSON