ANSI Injection Vulnerability in MuPDF Mutool by Artifex Software
CVE-2026-40505

4.8MEDIUM

Key Information:

Vendor: Artifex Software Inc.
Status: MuPDF
Vendor: CVE Published:; 16 April 2026

🔔 Create Artifex Software Inc. Vulnerability Alert

What is CVE-2026-40505?

The MuPDF mutool tool is susceptible to an ANSI injection vulnerability due to improper sanitization of PDF metadata fields. Attackers can exploit this flaw by inserting malicious ANSI escape sequences into the metadata of a crafted PDF. When the mutool info command is run, these sequences are unsanitized and displayed in the terminal, allowing attackers to manipulate terminal output. This could enable social engineering attacks, where malicious actors clear the terminal display or present fraudulent prompts, compromising user trust and security.

Affected Version(s)

MuPDF 0 < 0f17d789fe8c29b41e47663be82514aaca3a4dfb

References

https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/c...

patch

https://www.vulncheck.com/advisories/mupdf-mutool-ansi-in...

third-party-advisory

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 16, 2026
Vulnerability Reserved
Apr 13, 2026

Credit

Niel Duysters

CVE-2026-40505 Data

JSON