Remote Code Execution Vulnerability in Stirling-PDF Web Application
CVE-2026-34071

5.4MEDIUM

Key Information:

Vendor: Stirling-tools
Status: Stirling-PDF
Vendor: CVE Published:; 26 March 2026

🔔 Create Stirling-tools Vulnerability Alert

What is CVE-2026-34071?

The Stirling-PDF web application has a security flaw in version 2.7.3, where the /api/v1/convert/eml/pdf endpoint allows an attacker to send a malicious email. This email can contain unsanitized HTML that, when a user exports the email using the 'Download HTML intermediate file' feature, executes JavaScript in the user's context. This potential exposure leads to significant security risks as it could allow unauthorized actions or data breaches. The issue is addressed in version 2.8.0.

Affected Version(s)

Stirling-PDF = 2.7.3

References

https://github.com/Stirling-Tools/Stirling-PDF/security/a...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 26, 2026
Vulnerability Reserved
Mar 25, 2026

CVE-2026-34071 Data

JSON