CVE-2026-33436

EUVD-2026-23513
Stirling-PDF is a locally hosted web application that facilitates various operations on PDF files. In versions prior to 2.0.0, file upload endpoints render user-supplied filenames directly into HTML using unsafe methods like innerHTML without sanitization. An attacker can craft a file with a malicious filename containing JavaScript that executes in the uploading user's browser context, resulting in reflected XSS. The issue affects numerous upload endpoints across the application. The issue has been fixed in version 2.0.0.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
3.1 LOW
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 30%
Affected Products (NVD)
VendorProductVersion
stirlingpdfstirling_pdf
𝑥
< 2.0.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/Stirling-Tools/Stirling-PDF/security/advisories/GHSA-q5j3-4m5w-wp75
https://github.com/Stirling-Tools/Stirling-PDF/security/advisories/GHSA-q5j3-4m5w-wp75