Description
Stirling-PDF is a locally hosted web application that performs various operations on PDF files. In versions prior to 2.5.2, the /api/v1/convert/markdown/pdf endpoint extracts user-supplied ZIP entries without path checks. Any authenticated user can write files outside the intended temporary working directory, leading to arbitrary file write with the privileges of the Stirling-PDF process user (stirlingpdfuser). This can overwrite writable files and compromise data integrity, with further impact depending on writable paths. The issue was fixed in version 2.5.2.
Published: 2026-03-20
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Write
Action: Patch
AI Analysis

Impact

An authenticated user can submit a ZIP file to the Markdown‑to‑PDF conversion endpoint. The application extracts ZIP entries without validating their paths, allowing a path traversal exploit that writes files outside the intended temporary directory. This gives the process user the ability to overwrite any writable file, compromising data integrity and potentially enabling further escalation depending on the target files.

Affected Systems

Stirling‑Tools: Stirling‑PDF versions earlier than 2.5.2 are affected. The vulnerability exists in the locally hosted web application’s API endpoint /api/v1/convert/markdown/pdf.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in CISA's KEV catalog. Exploitation requires authentication and access to the API, making it an authenticated local or network‑based attack. After patching to version 2.5.2, the path validation is restored, eliminating this vector.

Generated by OpenCVE AI on March 24, 2026 at 17:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Stirling‑PDF to version 2.5.2 or later.

Generated by OpenCVE AI on March 24, 2026 at 17:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Stirling
Stirling stirling Pdf
CPEs cpe:2.3:a:stirling:stirling_pdf:*:*:*:*:*:*:*:*
Vendors & Products Stirling
Stirling stirling Pdf

Fri, 20 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Stirlingpdf
Stirlingpdf stirling Pdf
Vendors & Products Stirlingpdf
Stirlingpdf stirling Pdf

Fri, 20 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
Description Stirling-PDF is a locally hosted web application that performs various operations on PDF files. In versions prior to 2.5.2, the /api/v1/convert/markdown/pdf endpoint extracts user-supplied ZIP entries without path checks. Any authenticated user can write files outside the intended temporary working directory, leading to arbitrary file write with the privileges of the Stirling-PDF process user (stirlingpdfuser). This can overwrite writable files and compromise data integrity, with further impact depending on writable paths. The issue was fixed in version 2.5.2.
Title Stirling-PDF Zip Slip: Arbitrary File Write via Path Traversal in Markdown-to-PDF ZIP Extraction
Weaknesses CWE-22
CWE-23
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Stirling Stirling Pdf
Stirlingpdf Stirling Pdf
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T15:37:16.038Z

Reserved: 2026-02-20T22:02:30.027Z

Link: CVE-2026-27625

cve-icon Vulnrichment

Updated: 2026-03-20T15:37:11.873Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T09:16:13.857

Modified: 2026-03-24T16:03:23.303

Link: CVE-2026-27625

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:29:47Z

Weaknesses