Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Apache PDFBox Extracts Files to Wrong Location
CVE-2026-23907
GHSA-jjwr-xmw6-gf78
Summary
The ExtractEmbeddedFiles example in Apache PDFBox has a security risk. If a hacker provides a malicious filename, they could extract files to an unintended location. Users who copied this example into their code should review it to ensure it's safe and follow the updated example and documentation.
What to do
- Update org.apache.pdfbox:pdfbox-examples to version 3.0.7.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | org.apache.pdfbox:pdfbox-examples | > 2.0.24 , <= 3.0.7 | 3.0.7 |
| apache | pdfbox | > 2.0.24 , <= 2.0.35 | – |
| apache | pdfbox | > 3.0.0 , <= 3.0.7 | – |
Original title
This issue affects the
ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.35, from 3.0.0 through 3.0.6.
The ExtractEmbeddedFiles example contains a path traversal vulnerabili...
Original description
This issue affects the
ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.35, from 3.0.0 through 3.0.6.
The ExtractEmbeddedFiles example contains a path traversal vulnerability (CWE-22) because
the filename that is obtained from
PDComplexFileSpecification.getFilename() is appended to the extraction path.
Users who have copied this example into their production code should
review it to ensure that the extraction path is acceptable. The example
has been changed accordingly, now the initial path and the extraction
paths are converted into canonical paths and it is verified that
extraction path contains the initial path. The documentation has also
been adjusted.
ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.35, from 3.0.0 through 3.0.6.
The ExtractEmbeddedFiles example contains a path traversal vulnerability (CWE-22) because
the filename that is obtained from
PDComplexFileSpecification.getFilename() is appended to the extraction path.
Users who have copied this example into their production code should
review it to ensure that the extraction path is acceptable. The example
has been changed accordingly, now the initial path and the extraction
paths are converted into canonical paths and it is verified that
extraction path contains the initial path. The documentation has also
been adjusted.
nvd CVSS3.1
5.3
Vulnerability type
CWE-22
Path Traversal
- https://github.com/JoakimBulow/
- https://lists.apache.org/thread/gyfq5tcrxfv7rx0z2yyx4hb3h53ndffw
- http://www.openwall.com/lists/oss-security/2026/03/10/1
- https://nvd.nist.gov/vuln/detail/CVE-2026-23907
- https://github.com/apache/pdfbox/commit/b028eafdf101b58e4ee95430c3be25e3e3aa29d7
- https://github.com/advisories/GHSA-jjwr-xmw6-gf78
Published: 10 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026