CVE-2025-14420
Directory Traversal in PDF Architect CBZ Parsing Enables RCE
Publication date: 2025-12-23
Last updated on: 2025-12-23
Assigner: Zero Day Initiative
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pdfforge | pdf_architect | 3.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in pdfforge PDF Architect's handling of CBZ files. It is a directory traversal flaw caused by improper validation of user-supplied paths during file operations. An attacker can exploit this by tricking a user into opening a malicious CBZ file or visiting a malicious page, which allows the attacker to execute arbitrary code with the current user's privileges.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker to execute arbitrary code on your system with the same privileges as the current user. This could lead to unauthorized access, data theft, system compromise, or further malware installation.