CVE-2026-23907

Published: Mar 10, 2026 Last Modified: Mar 13, 2026

ExploitDB:

Other exploit source:

Google Dorks:

MEDIUM 5,3

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: none

Scope: unchanged

Confidentiality: low

Integrity: none

Availability: none

Description

AI Translation Available

This issue affects the
ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.35, from 3.0.0 through 3.0.6.

The ExtractEmbeddedFiles example contains a path traversal vulnerability (CWE-22) because
the filename that is obtained from
PDComplexFileSpecification.getFilename() is appended to the extraction path.

Users who have copied this example into their production code should
review it to ensure that the extraction path is acceptable. The example
has been changed accordingly, now the initial path and the extraction
paths are converted into canonical paths and it is verified that
extraction path contains the initial path. The documentation has also
been adjusted.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score

0,0001

Percentile

0,0th

Updated

EPSS Score Trend (Last 6 Days)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Stable

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Integrity Confidentiality Availability

Potential Impacts:

Execute Unauthorized Code Or Commands Modify Files Or Directories Read Files Or Directories Dos: Crash, Exit, Or Restart

Applicable Platforms

Technologies: AI/ML

Likelihood of Exploit: High

View CWE Details

Application

Pdfbox by Apache

Product Information

Vendor Apache

Product Pdfbox

Version Range Affected

From 3.0.0 (inclusive)

To 3.0.7 (inclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:apache:pdfbox:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Application

Pdfbox by Apache

Product Information

Vendor Apache

Product Pdfbox

Version Range Affected

From 2.0.24 (inclusive)

To 2.0.35 (inclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:apache:pdfbox:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

http://www.openwall.com/lists/oss-security/2026/03/10/1

https://github.com/JoakimBulow/

https://lists.apache.org/thread/gyfq5tcrxfv7rx0z2yyx4hb3h53…

https://lists.apache.org/thread/gyfq5tcrxfv7rx0z2yyx4hb3h53ndffw

CVE-2026-23907

Description

EPSS (Exploit Prediction Scoring System)

EPSS (Exploit Prediction Scoring System)

EPSS Score Trend (Last 6 Days)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Common Consequences

Applicable Platforms

Pdfbox by Apache

Product Information

Pdfbox by Apache

Product Information

Iscriviti alla newsletter