Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
MuPDF mutool leaks sensitive information from crafted PDFs
DEBIAN-CVE-2026-40505
Summary
An attacker can use a specially crafted PDF to access your computer's terminal and display fake messages to trick you. This can be a way for an attacker to trick you into doing something you shouldn't do. To stay safe, use the latest version of MuPDF mutool.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Debian:11 | debian | mupdf | All versions |
| Debian:12 | debian | mupdf | All versions |
| Debian:13 | debian | mupdf | All versions |
| Debian:14 | debian | mupdf | All versions |
Original title
MuPDF mutool does not sanitize PDF metadata fields before writing them to terminal output, allowing attackers to inject arbitrary ANSI escape sequences through crafted PDF metadata. Attackers can e...
Original description
MuPDF mutool does not sanitize PDF metadata fields before writing them to terminal output, allowing attackers to inject arbitrary ANSI escape sequences through crafted PDF metadata. Attackers can embed malicious ANSI escape codes in PDF metadata that are passed unsanitized to the terminal when running mutool info, enabling them to clear the terminal display and render arbitrary text for social engineering attacks such as presenting fake prompts or spoofed commands.
- https://security-tracker.debian.org/tracker/CVE-2026-40505 Vendor Advisory
Published: 16 Apr 2026 · Updated: 16 Apr 2026 · First seen: 16 Apr 2026