{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33436", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-19T18:45:22.436Z", "datePublished": "2026-04-17T20:29:43.262Z", "dateUpdated": "2026-04-20T16:20:16.137Z"}, "containers": {"cna": {"title": "Stirling-PDF: Reflected XSS through crafted filename in file upload functionality", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-116", "lang": "en", "description": "CWE-116: Improper Encoding or Escaping of Output", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Stirling-Tools/Stirling-PDF/security/advisories/GHSA-q5j3-4m5w-wp75", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Stirling-Tools/Stirling-PDF/security/advisories/GHSA-q5j3-4m5w-wp75"}], "affected": [{"vendor": "Stirling-Tools", "product": "Stirling-PDF", "versions": [{"version": "< 2.0.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T20:29:43.262Z"}, "descriptions": [{"lang": "en", "value": "Stirling-PDF is a locally hosted web application that facilitates various operations on PDF files. In versions prior to 2.0.0, file upload endpoints render user-supplied filenames directly into HTML using unsafe methods like innerHTML without sanitization. An attacker can craft a file with a malicious filename containing JavaScript that executes in the uploading user's browser context, resulting in reflected XSS. The issue affects numerous upload endpoints across the application. The issue has been fixed in version 2.0.0."}], "source": {"advisory": "GHSA-q5j3-4m5w-wp75", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/Stirling-Tools/Stirling-PDF/security/advisories/GHSA-q5j3-4m5w-wp75", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T16:20:12.422033Z", "id": "CVE-2026-33436", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T16:20:16.137Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33436", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T16:20:12.422033Z"}}}], "references": [{"url": "https://github.com/Stirling-Tools/Stirling-PDF/security/advisories/GHSA-q5j3-4m5w-wp75", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T16:20:07.677Z"}}], "cna": {"title": "Stirling-PDF: Reflected XSS through crafted filename in file upload functionality", "source": {"advisory": "GHSA-q5j3-4m5w-wp75", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "Stirling-Tools", "product": "Stirling-PDF", "versions": [{"status": "affected", "version": "< 2.0.0"}]}], "references": [{"url": "https://github.com/Stirling-Tools/Stirling-PDF/security/advisories/GHSA-q5j3-4m5w-wp75", "name": "https://github.com/Stirling-Tools/Stirling-PDF/security/advisories/GHSA-q5j3-4m5w-wp75", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Stirling-PDF is a locally hosted web application that facilitates various operations on PDF files. In versions prior to 2.0.0, file upload endpoints render user-supplied filenames directly into HTML using unsafe methods like innerHTML without sanitization. An attacker can craft a file with a malicious filename containing JavaScript that executes in the uploading user's browser context, resulting in reflected XSS. The issue affects numerous upload endpoints across the application. The issue has been fixed in version 2.0.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-116", "description": "CWE-116: Improper Encoding or Escaping of Output"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T20:29:43.262Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33436", "state": "PUBLISHED", "dateUpdated": "2026-04-20T16:20:16.137Z", "dateReserved": "2026-03-19T18:45:22.436Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-17T20:29:43.262Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:stirlingpdf:stirling_pdf:*:*:*:*:*:*:*:*", "matchCriteriaId": "314AE048-8BB8-4A18-BF15-5CF9C8F3808C", "versionEndExcluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Stirling-PDF is a locally hosted web application that facilitates various operations on PDF files. In versions prior to 2.0.0, file upload endpoints render user-supplied filenames directly into HTML using unsafe methods like innerHTML without sanitization. An attacker can craft a file with a malicious filename containing JavaScript that executes in the uploading user's browser context, resulting in reflected XSS. The issue affects numerous upload endpoints across the application. The issue has been fixed in version 2.0.0."}], "id": "CVE-2026-33436", "lastModified": "2026-05-13T16:00:07.763", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-17T21:16:32.750", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/Stirling-Tools/Stirling-PDF/security/advisories/GHSA-q5j3-4m5w-wp75"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/Stirling-Tools/Stirling-PDF/security/advisories/GHSA-q5j3-4m5w-wp75"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-116"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.0.0)"}}], "enrichment": {"confidence": 82.0, "confidence_source": "matching", "scores": [{"score": 82.0, "source": "matching"}]}, "original": {"product": "Stirling-PDF", "source": "cna", "vendor": "Stirling-Tools"}, "product": "stirling_pdf", "vendor": "stirlingpdf"}], "analysis": {"en": {"generated_at": "2026-04-18T08:59:41.075552+00:00", "value": {"mitigation_remediation": ["Upgrade Stirling\u2011PDF to version 2.0.0 or newer.", "Restrict upload functionality to authenticated and authorized users only.", "Implement server\u2011side sanitization of filenames before rendering them in the user interface."], "summary": {"action": "Apply Patch", "impact": "Reflected XSS via malicious filename"}, "threat_synthesis": {"affected_systems": "The flaw affects Stirling\u2011Tools\u2019 Stirling\u2011PDF in all releases before version 2.0.0. Many upload endpoints across the application are susceptible; users who can upload files without restrictions may trigger the flaw.", "description_and_impact": "A vulnerability in Stirling-PDF allows an attacker to embed JavaScript in a filename carried by a user\u2011supplied upload. The application renders that filename directly into page markup through unsafe techniques such as innerHTML, causing the script to execute in the context of the uploading user\u2019s browser. The impact is reflected cross\u2011site scripting, which can lead to session hijacking, data theft, or phishing attacks against users of the locally hosted web interface.", "risk_and_exploitability": "The CVSS score of 3.1 classifies the issue as low severity, and the EPSS score is not available, indicating no known widespread exploitation. It is not listed in the CISA KEV catalog. Because the attack requires only the ability to upload a file to the application, an adversary with access to the local web service\u2014such as an insider or a compromised workstation\u2014can easily craft a malicious filename and trigger the XSS. The exploit does not require elevated privileges or authentication beyond the normal use of the upload feature."}}}}, "created": "2026-04-18T09:00:05.905092+00:00", "updated": "2026-04-20T14:59:38.651390+00:00", "vendors": ["stirlingpdf", "stirlingpdf$PRODUCT$stirling_pdf"]}