CVE-2026-34071
Stored XSS in Stirling-PDF Email Export Allows Script Execution
Publication date: 2026-03-26
Last updated on: 2026-03-31
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| stirlingpdf | stirling_pdf | 2.7.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to execute malicious JavaScript in the context of a Stirling-PDF user by exploiting unsanitized HTML returned from the application. This can lead to unauthorized access to internal network resources and credential harvesting through phishing forms.
Such unauthorized access and potential data exposure could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.
Specifically, the risk of credential theft and internal network access could lead to data breaches, violating confidentiality and integrity requirements mandated by these regulations.
Can you explain this vulnerability to me?
CVE-2026-34071 is a Stored Cross-Site Scripting (XSS) vulnerability in the Stirling-PDF web application, specifically in version 2.7.3. The vulnerability occurs in the /api/v1/convert/eml/pdf endpoint when the parameter downloadHtml=true is used. This endpoint returns the email body as unsanitized HTML with the Content-Type set to text/html, allowing any embedded JavaScript in the email body to execute in the user's browser.
The root cause is that the method responsible for converting emails to HTML does not apply any HTML sanitization, resulting in raw HTML being returned. While email metadata like Subject, From, and To are properly escaped, the HTML body is not sanitized. An attacker can exploit this by sending a malicious email containing JavaScript code to a Stirling-PDF user. When the user exports the email using the "Download HTML intermediate file" feature, the malicious JavaScript executes when the file is opened.
Exploitation requires the attacker to send a crafted email to the user, the user to be authenticated in Stirling-PDF, and the user to choose the download HTML export option and open the resulting file. No special configuration changes are needed as the feature is enabled by default.
How can this vulnerability impact me? :
This vulnerability can lead to JavaScript execution in the context of the user's browser when they open the exported HTML file. This can allow an attacker to perform actions such as accessing internal network resources via fetch requests from the victim's browser, harvesting credentials through phishing forms embedded in the malicious HTML, and potentially other malicious activities that rely on executing JavaScript in the user's environment.
The impact is rated as Moderate with a CVSS v3.1 base score of 5.4, indicating that while the attack requires user interaction (opening the exported file), it does not require any privileges or complex conditions beyond sending a malicious email and the user exporting and opening the HTML file.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the /api/v1/convert/eml/pdf endpoint with the parameter downloadHtml=true to see if it returns unsanitized HTML content from the email body.
Specifically, you can send a crafted email containing JavaScript payloads to a Stirling-PDF user, then use the "Download HTML intermediate file" feature to export the email and check if the returned HTML file contains unescaped JavaScript that executes when opened.
There are no explicit commands provided in the resources, but a possible approach is to use curl or similar HTTP clients to request the vulnerable endpoint and inspect the response for unsanitized HTML content.
- curl -v -X GET 'http://<stirling-pdf-host>/api/v1/convert/eml/pdf?downloadHtml=true' -H 'Authorization: Bearer <token>' --data-binary @<email-file.eml>
Then inspect the response body for embedded JavaScript or unescaped HTML tags that could indicate the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Stirling-PDF to version 2.8.0 or later, where this vulnerability has been fixed.
Until the upgrade can be performed, avoid using the "Download HTML intermediate file" feature on emails received from untrusted sources, as this feature returns unsanitized HTML that can execute malicious JavaScript.
Additionally, restrict access to the Stirling-PDF application to trusted users and networks to reduce the risk of exploitation.