Path Traversal Vulnerability in Apache PDFBox by Apache
CVE-2026-33929

Currently unrated

Key Information:

Vendor

Apache
Status
Apache PDFbox Examples
Vendor
CVE Published:
14 April 2026

What is CVE-2026-33929?

A path traversal vulnerability in Apache PDFBox's ExtractEmbeddedFiles example could allow an attacker to write files outside the intended directory. The flaw arises in versions from 2.0.24 to 3.0.7, where the file path separator is not adequately handled. Users with write access in specific directories may be impacted by malicious PDFs that exploit this vulnerability. Users are advised to either update to the latest versions 2.0.37 or 3.0.8 or to implement the fix provided in GitHub pull request 427.

Affected Version(s)

Apache PDFBox Examples 2.0.24 <= 2.0.36

Apache PDFBox Examples 3.0.0 <= 3.0.7

References

https://github.com/apache/pdfbox/pull/427/changes
patch
https://lists.apache.org/thread/op3lyx1ngzy4qycn06l6hljyf...
mailing-list
https://lists.apache.org/thread/j8l07tgzy9dm8d8n0f3c45h7z...
vendor-advisory

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Kaixuan Li
.