CVE-2026-34071
Received Received - Intake
Stored XSS in Stirling-PDF Email Export Allows Script Execution

Publication date: 2026-03-26

Last updated on: 2026-03-31

Assigner: GitHub, Inc.

Description
Stirling-PDF is a locally hosted web application that allows you to perform various operations on PDF files. In version 2.7.3, the /api/v1/convert/eml/pdf endpoint with parameter downloadHtml=true returns unsanitized HTML from the email body with Content-Type: text/html. An attacker who sends a malicious email to a Stirling-PDF user can achieve JavaScript execution when that user exports the email using the "Download HTML intermediate file" feature. Version 2.8.0 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-03-31
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34071
EUVD
EUVD-2026-16271
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
stirlingpdf stirling_pdf 2.7.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows an attacker to execute malicious JavaScript in the context of a Stirling-PDF user by exploiting unsanitized HTML returned from the application. This can lead to unauthorized access to internal network resources and credential harvesting through phishing forms.

Such unauthorized access and potential data exposure could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

Specifically, the risk of credential theft and internal network access could lead to data breaches, violating confidentiality and integrity requirements mandated by these regulations.

Executive Summary

CVE-2026-34071 is a Stored Cross-Site Scripting (XSS) vulnerability in the Stirling-PDF web application, specifically in version 2.7.3. The vulnerability occurs in the /api/v1/convert/eml/pdf endpoint when the parameter downloadHtml=true is used. This endpoint returns the email body as unsanitized HTML with the Content-Type set to text/html, allowing any embedded JavaScript in the email body to execute in the user's browser.

The root cause is that the method responsible for converting emails to HTML does not apply any HTML sanitization, resulting in raw HTML being returned. While email metadata like Subject, From, and To are properly escaped, the HTML body is not sanitized. An attacker can exploit this by sending a malicious email containing JavaScript code to a Stirling-PDF user. When the user exports the email using the "Download HTML intermediate file" feature, the malicious JavaScript executes when the file is opened.

Exploitation requires the attacker to send a crafted email to the user, the user to be authenticated in Stirling-PDF, and the user to choose the download HTML export option and open the resulting file. No special configuration changes are needed as the feature is enabled by default.

Impact Analysis

This vulnerability can lead to JavaScript execution in the context of the user's browser when they open the exported HTML file. This can allow an attacker to perform actions such as accessing internal network resources via fetch requests from the victim's browser, harvesting credentials through phishing forms embedded in the malicious HTML, and potentially other malicious activities that rely on executing JavaScript in the user's environment.

The impact is rated as Moderate with a CVSS v3.1 base score of 5.4, indicating that while the attack requires user interaction (opening the exported file), it does not require any privileges or complex conditions beyond sending a malicious email and the user exporting and opening the HTML file.

Detection Guidance

This vulnerability can be detected by testing the /api/v1/convert/eml/pdf endpoint with the parameter downloadHtml=true to see if it returns unsanitized HTML content from the email body.

Specifically, you can send a crafted email containing JavaScript payloads to a Stirling-PDF user, then use the "Download HTML intermediate file" feature to export the email and check if the returned HTML file contains unescaped JavaScript that executes when opened.

There are no explicit commands provided in the resources, but a possible approach is to use curl or similar HTTP clients to request the vulnerable endpoint and inspect the response for unsanitized HTML content.

  • curl -v -X GET 'http://<stirling-pdf-host>/api/v1/convert/eml/pdf?downloadHtml=true' -H 'Authorization: Bearer <token>' --data-binary @<email-file.eml>

Then inspect the response body for embedded JavaScript or unescaped HTML tags that could indicate the vulnerability.

Mitigation Strategies

The immediate mitigation step is to upgrade Stirling-PDF to version 2.8.0 or later, where this vulnerability has been fixed.

Until the upgrade can be performed, avoid using the "Download HTML intermediate file" feature on emails received from untrusted sources, as this feature returns unsanitized HTML that can execute malicious JavaScript.

Additionally, restrict access to the Stirling-PDF application to trusted users and networks to reduce the risk of exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34071. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart