Path Traversal Vulnerability in Apache PDFBox by Apache
CVE-2026-33929

4.3MEDIUM

Key Information:

Vendor

Apache
Status
Apache PDFbox Examples
Vendor
CVE Published:
14 April 2026

What is CVE-2026-33929?

A path traversal vulnerability in Apache PDFBox's ExtractEmbeddedFiles example could allow an attacker to write files outside the intended directory. The flaw arises in versions from 2.0.24 to 3.0.7, where the file path separator is not adequately handled. Users with write access in specific directories may be impacted by malicious PDFs that exploit this vulnerability. Users are advised to either update to the latest versions 2.0.37 or 3.0.8 or to implement the fix provided in GitHub pull request 427.

Affected Version(s)

Apache PDFBox Examples 2.0.24 <= 2.0.36

Apache PDFBox Examples 3.0.0 <= 3.0.7

References

https://github.com/apache/pdfbox/pull/427/changes
patch
https://lists.apache.org/thread/op3lyx1ngzy4qycn06l6hljyf...
mailing-list
https://lists.apache.org/thread/j8l07tgzy9dm8d8n0f3c45h7z...
vendor-advisory

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Kaixuan Li
.