CVE-2026-33438 - Vulnerability Details

- Stirling-PDF vulnerable to DoS via add-watermark

Description

Stirling-PDF is a locally hosted web application that allows you to perform various operations on PDF files. Versions starting in 2.1.5 and prior to 2.5.2 have Denial of Service (DoS) vulnerability in the Stirling-PDF watermark functionality (`/api/v1/security/add-watermark` endpoint). The vulnerability allows authenticated users to cause resource exhaustion and server crashes by providing extreme values for the `fontSize` and `widthSpacer` parameters. Version 2.5.2 patches the issue.

Published: 2026-03-26

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Stirling‑PDF, a locally hosted web application that manipulates PDF files, contains a flaw in its /api/v1/security/add‑watermark endpoint. By supplying excessively large values for the fontSize and widthSpacer parameters, an authenticated user can cause the server to consume excessive CPU and memory, eventually crashing. The flaw is a resource exhaustion weakness described by CWE‑770 and results in a denial of service.

Affected Systems

The affected product is Stirling‑Tools’ Stirling‑PDF. Versions from 2.1.5 up to but not including 2.5.2 are vulnerable. The issue requires authentication and can be triggered only by users who have valid login credentials to the application.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, and the EPSS score below 1 % shows a low likelihood of real-world exploitation. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack is limited to authenticated users, so reachability is constrained. An attacker would need to craft a special request to the watermark endpoint, and the effect is limited to exhausting server resources until a crash occurs.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Stirling-Tools

Stirling-PDF

affected

Version	Status	Constraints
`>= 2.1.5, < 2.5.2`	affected	—

Configuration 1 [-]

cpe:2.3:a:stirling:stirling_pdf:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Stirlingpdf

Stirling Pdf

82%

Version	Status	Scheme	Platform
`[2.1.5,2.5.2)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Stirling‑PDF to version 2.5.2 or later to apply the vendor patch.
Restrict or disable the /api/v1/security/add‑watermark endpoint for unauthenticated or low‑privilege users to limit exposure.
Implement monitoring of CPU and memory usage, and log anomalies during watermark processing to detect possible abuse.
If patching cannot be performed immediately, consider temporarily limiting the fontSize and widthSpacer values or blocking the endpoint entirely.

Generated by OpenCVE AI on April 1, 2026 at 06:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00054.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/Stirling-Tools/Stirling-PDF/security/advisories/GHSA-3932-2rfq-87xm

History

Wed, 01 Apr 2026 02:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Stirling Stirling stirling Pdf
CPEs		cpe:2.3:a:stirling:stirling_pdf::::::::
Vendors & Products		Stirling Stirling stirling Pdf

Fri, 27 Mar 2026 08:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Stirlingpdf Stirlingpdf stirling Pdf
Vendors & Products		Stirlingpdf Stirlingpdf stirling Pdf

Thu, 26 Mar 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 26 Mar 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		Stirling-PDF is a locally hosted web application that allows you to perform various operations on PDF files. Versions starting in 2.1.5 and prior to 2.5.2 have Denial of Service (DoS) vulnerability in the Stirling-PDF watermark functionality (`/api/v1/security/add-watermark` endpoint). The vulnerability allows authenticated users to cause resource exhaustion and server crashes by providing extreme values for the `fontSize` and `widthSpacer` parameters. Version 2.5.2 patches the issue.
Title		Stirling-PDF vulnerable to DoS via add-watermark
Weaknesses		CWE-770
References		https://github.com/Stirling-Tools/Stirling-PDF/security/advisories/GHSA-3932-2rfq-87xm
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Stirling Stirling Pdf

Stirlingpdf Stirling Pdf

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-26T16:58:07.485Z

Updated: 2026-03-26T17:34:32.654Z

Reserved: 2026-03-19T18:45:22.437Z

Link: CVE-2026-33438

Vulnrichment

Updated: 2026-03-26T17:34:23.179Z

NVD

Status : Analyzed

Published: 2026-03-26T17:16:40.657

Modified: 2026-03-31T21:37:52.353

Link: CVE-2026-33438

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-02T07:58:57Z

Weaknesses

CWE-770

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object