Description
This issue affects the
ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.35, from 3.0.0 through 3.0.6.


The ExtractEmbeddedFiles example contains a path traversal vulnerability (CWE-22) because
the filename that is obtained from
PDComplexFileSpecification.getFilename() is appended to the extraction path.

Users who have copied this example into their production code should
review it to ensure that the extraction path is acceptable. The example
has been changed accordingly, now the initial path and the extraction
paths are converted into canonical paths and it is verified that
extraction path contains the initial path. The documentation has also
been adjusted.
Published: 2026-03-10
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Path Traversal
Action: Apply Update
AI Analysis

Impact

The ExtractEmbeddedFiles example in Apache PDFBox contains a path traversal flaw (CWE‑22). When a PDF references an embedded file, the filename returned by PDComplexFileSpecification.getFilename() is simply appended to a base extraction directory. An attacker can supply a filename that includes traversal sequences, causing the extraction code to write or read files outside the intended directory, potentially overwriting existing files or exposing sensitive data.

Affected Systems

Apache Software Foundation’s PDFBox Examples are affected. The vulnerability exists in versions 2.0.24 through 2.0.35 and in 3.0.0 through 3.0.6. Any code that copies this example into production and runs it against untrusted PDFs would be vulnerable.

Risk and Exploitability

The CVSS score is 5.3, marking it as a medium‑severity flaw, and the EPSS score is below 1 %, indicating a very low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog. Because the vulnerability requires a PDF with a specially crafted filename and execution of the example code, it is a local‑level threat that could be triggered by a malicious file processed by an application running with elevated privileges. After the library authors updated the example to canonicalise paths and verify containment, the risk is mitigated if the latest example is used.

Generated by OpenCVE AI on April 16, 2026 at 09:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest release of Apache PDFBox, which includes the patched ExtractEmbeddedFiles example (any 2.0.36+ or 3.0.7+).
  • If an upgrade is not possible, modify your code to validate the extraction path: compute the canonical path of the target file and confirm it begins with the intended base directory before writing the file.
  • Remove or disable the ExtractEmbeddedFiles example from production code; implement a custom extraction routine that enforces strict path checks.
  • Audit the application to ensure that the PDF processing runs with the least privileges required, limiting potential damage from a traversal.
  • Maintain regular updates from the Apache PDFBox project and monitor advisories for any future changes.

Generated by OpenCVE AI on April 16, 2026 at 09:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jjwr-xmw6-gf78 Apache PDFBox has Path Traversal through PDComplexFileSpecification.getFilename() function
History

Fri, 13 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache pdfbox
CPEs cpe:2.3:a:apache:pdfbox:*:*:*:*:*:*:*:*
Vendors & Products Apache pdfbox

Wed, 11 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache pdfbox Examples
Vendors & Products Apache
Apache pdfbox Examples

Tue, 10 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
References

Tue, 10 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description This issue affects the ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.36, from 3.0.0 through 3.0.7. The ExtractEmbeddedFiles example contains a path traversal vulnerability (CWE-22) because the filename that is obtained from PDComplexFileSpecification.getFilename() is appended to the extraction path. Users who have copied this example into their production code should review it to ensure that the extraction path is acceptable. The example has been changed accordingly, now the initial path and the extraction paths are converted into canonical paths and it is verified that extraction path contains the initial path. The documentation has also been adjusted. This issue affects the ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.35, from 3.0.0 through 3.0.6. The ExtractEmbeddedFiles example contains a path traversal vulnerability (CWE-22) because the filename that is obtained from PDComplexFileSpecification.getFilename() is appended to the extraction path. Users who have copied this example into their production code should review it to ensure that the extraction path is acceptable. The example has been changed accordingly, now the initial path and the extraction paths are converted into canonical paths and it is verified that extraction path contains the initial path. The documentation has also been adjusted.

Tue, 10 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
Description This issue affects the ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.36, from 3.0.0 through 3.0.7. The ExtractEmbeddedFiles example contains a path traversal vulnerability (CWE-22) because the filename that is obtained from PDComplexFileSpecification.getFilename() is appended to the extraction path. Users who have copied this example into their production code should review it to ensure that the extraction path is acceptable. The example has been changed accordingly, now the initial path and the extraction paths are converted into canonical paths and it is verified that extraction path contains the initial path. The documentation has also been adjusted.
Title Apache PDFBox Examples: Path Traversal in PDFBox ExtractEmbeddedFiles Example Code
Weaknesses CWE-22
References

Subscriptions

Apache Pdfbox Pdfbox Examples
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-03-10T17:51:53.261Z

Reserved: 2026-01-19T12:13:50.503Z

Link: CVE-2026-23907

cve-icon Vulnrichment

Updated: 2026-03-10T13:28:02.680Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:18:16.960

Modified: 2026-03-13T16:45:28.490

Link: CVE-2026-23907

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-10T09:43:40Z

Links: CVE-2026-23907 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T10:00:14Z

Weaknesses