Description
Stirling-PDF is a locally hosted web application that facilitates various operations on PDF files. In versions prior to 2.0.0, file upload endpoints render user-supplied filenames directly into HTML using unsafe methods like innerHTML without sanitization. An attacker can craft a file with a malicious filename containing JavaScript that executes in the uploading user's browser context, resulting in reflected XSS. The issue affects numerous upload endpoints across the application. The issue has been fixed in version 2.0.0.
Published: 2026-04-17
Score: 3.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: Reflected XSS via malicious filename
Action: Apply Patch
AI Analysis

Impact

A vulnerability in Stirling-PDF allows an attacker to embed JavaScript in a filename carried by a user‑supplied upload. The application renders that filename directly into page markup through unsafe techniques such as innerHTML, causing the script to execute in the context of the uploading user’s browser. The impact is reflected cross‑site scripting, which can lead to session hijacking, data theft, or phishing attacks against users of the locally hosted web interface.

Affected Systems

The flaw affects Stirling‑Tools’ Stirling‑PDF in all releases before version 2.0.0. Many upload endpoints across the application are susceptible; users who can upload files without restrictions may trigger the flaw.

Risk and Exploitability

The CVSS score of 3.1 classifies the issue as low severity, and the EPSS score is not available, indicating no known widespread exploitation. It is not listed in the CISA KEV catalog. Because the attack requires only the ability to upload a file to the application, an adversary with access to the local web service—such as an insider or a compromised workstation—can easily craft a malicious filename and trigger the XSS. The exploit does not require elevated privileges or authentication beyond the normal use of the upload feature.

Generated by OpenCVE AI on April 18, 2026 at 08:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Stirling‑PDF to version 2.0.0 or newer.
  • Restrict upload functionality to authenticated and authorized users only.
  • Implement server‑side sanitization of filenames before rendering them in the user interface.

Generated by OpenCVE AI on April 18, 2026 at 08:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Stirlingpdf
Stirlingpdf stirling Pdf
Vendors & Products Stirlingpdf
Stirlingpdf stirling Pdf

Fri, 17 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description Stirling-PDF is a locally hosted web application that facilitates various operations on PDF files. In versions prior to 2.0.0, file upload endpoints render user-supplied filenames directly into HTML using unsafe methods like innerHTML without sanitization. An attacker can craft a file with a malicious filename containing JavaScript that executes in the uploading user's browser context, resulting in reflected XSS. The issue affects numerous upload endpoints across the application. The issue has been fixed in version 2.0.0.
Title Stirling-PDF: Reflected XSS through crafted filename in file upload functionality
Weaknesses CWE-116
CWE-20
CWE-79
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N'}

Subscriptions

Stirlingpdf Stirling Pdf
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-20T16:20:16.137Z

Reserved: 2026-03-19T18:45:22.436Z

Link: CVE-2026-33436

cve-icon Vulnrichment

Updated: 2026-04-20T16:20:07.677Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-17T21:16:32.750

Modified: 2026-04-20T19:03:07.607

Link: CVE-2026-33436

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T14:59:38Z

Weaknesses