Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.3
Apache PDFBox Examples Allow Malicious File Write Access
CVE-2026-33929
GHSA-gcj8-76p4-g2fq
Summary
Apache PDFBox Examples contain a flaw that can allow an attacker to write malicious files to any location on a user's system. This happens when a specially crafted PDF is opened. To fix this issue, users should update to the latest version of Apache PDFBox or apply a fix provided by GitHub.
What to do
- Update org.apache.pdfbox:pdfbox-examples to version 2.0.37.
- Update org.apache.pdfbox:pdfbox-examples to version 3.0.8.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| maven | – | org.apache.pdfbox:pdfbox-examples |
>= 2.0.24, <= 2.0.36 >= 3.0.0, <= 3.0.7 Fix: upgrade to 2.0.37
|
Original title
Apache PDFBox Examples: Path Traversal in PDFBox ExtractEmbeddedFiles Example Code
Original description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache PDFBox Examples.
This issue affects the
ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.36, from 3.0.0 through 3.0.7.
Users are recommended to update to version 2.0.37 or 3.0.8 once available. Until then, they should apply the fix provided in GitHub PR 427.
The ExtractEmbeddedFiles example contained a path traversal vulnerability (CWE-22) mentioned in CVE-2026-23907. However the change in the releases 2.0.36 and 3.0.7 is flawed because it doesn't consider the file path separator. Because of that, a user having writing rights on /home/ABC could be victim to a malicious PDF resulting in a write attempt to any path starting with /home/ABC, e.g. "/home/ABCDEF".
Users who have copied this example into their production code should apply the mentioned change. The example
has been changed accordingly and is available in the project repository.
This issue affects the
ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.36, from 3.0.0 through 3.0.7.
Users are recommended to update to version 2.0.37 or 3.0.8 once available. Until then, they should apply the fix provided in GitHub PR 427.
The ExtractEmbeddedFiles example contained a path traversal vulnerability (CWE-22) mentioned in CVE-2026-23907. However the change in the releases 2.0.36 and 3.0.7 is flawed because it doesn't consider the file path separator. Because of that, a user having writing rights on /home/ABC could be victim to a malicious PDF resulting in a write attempt to any path starting with /home/ABC, e.g. "/home/ABCDEF".
Users who have copied this example into their production code should apply the mentioned change. The example
has been changed accordingly and is available in the project repository.
Vulnerability type
CWE-22
Path Traversal
Published: 14 Apr 2026 · Updated: 15 Apr 2026 · First seen: 14 Apr 2026