CVE-2026-23907 (GCVE-0-2026-23907)

Vulnerability from cvelistv5 – Published: 2026-03-10 09:43 – Updated: 2026-03-10 17:51
VLAI
Title
Apache PDFBox Examples: Path Traversal in PDFBox ExtractEmbeddedFiles Example Code
Summary
This issue affects the ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.35, from 3.0.0 through 3.0.6. The ExtractEmbeddedFiles example contains a path traversal vulnerability (CWE-22) because the filename that is obtained from PDComplexFileSpecification.getFilename() is appended to the extraction path. Users who have copied this example into their production code should review it to ensure that the extraction path is acceptable. The example has been changed accordingly, now the initial path and the extraction paths are converted into canonical paths and it is verified that extraction path contains the initial path. The documentation has also been adjusted.
Severity
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
Vendor Product Version
Apache Software Foundation Apache PDFBox Examples Affected: 2.0.24 , ≤ 2.0.35 (semver)
Affected: 3.0.0 , ≤ 3.0.6 (semver)
Create a notification for this product.
Credits
Joakim Bülow (Neo4j Security Team)
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-03-10T13:28:02.680Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/03/10/1"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-23907",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-10T17:51:34.025936Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-10T17:51:53.261Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.pdfbox:pdfbox-examples",
          "product": "Apache PDFBox Examples",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "2.0.35",
              "status": "affected",
              "version": "2.0.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "3.0.6",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Joakim B\u00fclow (Neo4j Security Team)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThis issue affects the \nExtractEmbeddedFiles example in\u0026nbsp;Apache PDFBox: from 2.0.24 through 2.0.35, from 3.0.0 through 3.0.6.\u003c/p\u003e\u003cp\u003e\nThe ExtractEmbeddedFiles example contains a path traversal vulnerability (CWE-22) because \nthe filename that is obtained from \nPDComplexFileSpecification.getFilename() is appended to the extraction path.\n\u003cbr\u003eUsers who have copied this example into their production code should \nreview it to ensure that the extraction path is acceptable. The example \nhas been changed accordingly, now the initial path and the extraction \npaths are converted into canonical paths and it is verified that \nextraction path contains the initial path. The documentation has also \nbeen adjusted.\u003c/p\u003e"
            }
          ],
          "value": "This issue affects the \nExtractEmbeddedFiles example in\u00a0Apache PDFBox: from 2.0.24 through 2.0.35, from 3.0.0 through 3.0.6.\n\n\nThe ExtractEmbeddedFiles example contains a path traversal vulnerability (CWE-22) because \nthe filename that is obtained from \nPDComplexFileSpecification.getFilename() is appended to the extraction path.\n\nUsers who have copied this example into their production code should \nreview it to ensure that the extraction path is acceptable. The example \nhas been changed accordingly, now the initial path and the extraction \npaths are converted into canonical paths and it is verified that \nextraction path contains the initial path. The documentation has also \nbeen adjusted."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-10T17:04:48.746Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "url": "https://github.com/JoakimBulow/"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/gyfq5tcrxfv7rx0z2yyx4hb3h53ndffw"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache PDFBox Examples: Path Traversal in PDFBox ExtractEmbeddedFiles Example Code",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-23907",
    "datePublished": "2026-03-10T09:43:40.384Z",
    "dateReserved": "2026-01-19T12:13:50.503Z",
    "dateUpdated": "2026-03-10T17:51:53.261Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-23907",
      "date": "2026-06-17",
      "epss": "0.00886",
      "percentile": "0.54477"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-23907\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2026-03-10T18:18:16.960\",\"lastModified\":\"2026-03-13T16:45:28.490\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"This issue affects the \\nExtractEmbeddedFiles example in\u00a0Apache PDFBox: from 2.0.24 through 2.0.35, from 3.0.0 through 3.0.6.\\n\\n\\nThe ExtractEmbeddedFiles example contains a path traversal vulnerability (CWE-22) because \\nthe filename that is obtained from \\nPDComplexFileSpecification.getFilename() is appended to the extraction path.\\n\\nUsers who have copied this example into their production code should \\nreview it to ensure that the extraction path is acceptable. The example \\nhas been changed accordingly, now the initial path and the extraction \\npaths are converted into canonical paths and it is verified that \\nextraction path contains the initial path. The documentation has also \\nbeen adjusted.\"},{\"lang\":\"es\",\"value\":\"Este problema afecta al ejemplo ExtractEmbeddedFiles en Apache PDFBox: desde 2.0.24 hasta 2.0.35, desde 3.0.0 hasta 3.0.6.\\n\\nEl ejemplo ExtractEmbeddedFiles contiene una vulnerabilidad de salto de ruta (CWE-22) porque el nombre de archivo que se obtiene de PDComplexFileSpecification.getFilename() se a\u00f1ade a la ruta de extracci\u00f3n.\\n\\nLos usuarios que han copiado este ejemplo en su c\u00f3digo de producci\u00f3n deber\u00edan revisarlo para asegurarse de que la ruta de extracci\u00f3n es aceptable. El ejemplo ha sido modificado en consecuencia, ahora la ruta inicial y las rutas de extracci\u00f3n se convierten en rutas can\u00f3nicas y se verifica que la ruta de extracci\u00f3n contiene la ruta inicial. La documentaci\u00f3n tambi\u00e9n ha sido ajustada.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:pdfbox:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.0.24\",\"versionEndIncluding\":\"2.0.35\",\"matchCriteriaId\":\"1C68269E-0203-4CC0-A46A-79EE0707D72B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:pdfbox:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.0.0\",\"versionEndIncluding\":\"3.0.7\",\"matchCriteriaId\":\"0C8FF3B3-3A97-4F50-BCDE-8EEA175F4C61\"}]}]}],\"references\":[{\"url\":\"https://github.com/JoakimBulow/\",\"source\":\"security@apache.org\",\"tags\":[\"Not Applicable\"]},{\"url\":\"https://lists.apache.org/thread/gyfq5tcrxfv7rx0z2yyx4hb3h53ndffw\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2026/03/10/1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2026/03/10/1\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2026-03-10T13:28:02.680Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-23907\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-10T17:51:34.025936Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-10T17:50:10.744Z\"}}], \"cna\": {\"title\": \"Apache PDFBox Examples: Path Traversal in PDFBox ExtractEmbeddedFiles Example Code\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Joakim B\\u00fclow (Neo4j Security Team)\"}], \"metrics\": [{\"other\": {\"type\": \"Textual description of severity\", \"content\": {\"text\": \"moderate\"}}}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache PDFBox Examples\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.0.24\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"2.0.35\"}, {\"status\": \"affected\", \"version\": \"3.0.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"3.0.6\"}], \"packageName\": \"org.apache.pdfbox:pdfbox-examples\", \"collectionURL\": \"https://repo.maven.apache.org/maven2\", \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://github.com/JoakimBulow/\"}, {\"url\": \"https://lists.apache.org/thread/gyfq5tcrxfv7rx0z2yyx4hb3h53ndffw\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"This issue affects the \\nExtractEmbeddedFiles example in\\u00a0Apache PDFBox: from 2.0.24 through 2.0.35, from 3.0.0 through 3.0.6.\\n\\n\\nThe ExtractEmbeddedFiles example contains a path traversal vulnerability (CWE-22) because \\nthe filename that is obtained from \\nPDComplexFileSpecification.getFilename() is appended to the extraction path.\\n\\nUsers who have copied this example into their production code should \\nreview it to ensure that the extraction path is acceptable. The example \\nhas been changed accordingly, now the initial path and the extraction \\npaths are converted into canonical paths and it is verified that \\nextraction path contains the initial path. The documentation has also \\nbeen adjusted.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eThis issue affects the \\nExtractEmbeddedFiles example in\u0026nbsp;Apache PDFBox: from 2.0.24 through 2.0.35, from 3.0.0 through 3.0.6.\u003c/p\u003e\u003cp\u003e\\nThe ExtractEmbeddedFiles example contains a path traversal vulnerability (CWE-22) because \\nthe filename that is obtained from \\nPDComplexFileSpecification.getFilename() is appended to the extraction path.\\n\u003cbr\u003eUsers who have copied this example into their production code should \\nreview it to ensure that the extraction path is acceptable. The example \\nhas been changed accordingly, now the initial path and the extraction \\npaths are converted into canonical paths and it is verified that \\nextraction path contains the initial path. The documentation has also \\nbeen adjusted.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2026-03-10T17:04:48.746Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-23907\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-10T17:51:53.261Z\", \"dateReserved\": \"2026-01-19T12:13:50.503Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2026-03-10T09:43:40.384Z\", \"assignerShortName\": \"apache\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.