CVE-2026-33436
Reflected XSS in Stirling-PDF Upload Endpoints Before
Publication date: 2026-04-17
Last updated on: 2026-04-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| stirling_pdf | stirling_pdf | to 2.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-116 | The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Stirling-PDF versions prior to 2.0.0, where file upload endpoints render user-supplied filenames directly into HTML using unsafe methods like innerHTML without sanitization.
An attacker can exploit this by crafting a file with a malicious filename containing JavaScript code that executes in the browser of the user uploading the file, resulting in reflected Cross-Site Scripting (XSS).
The issue affects multiple upload endpoints across the application and has been fixed in version 2.0.0.
How can this vulnerability impact me? :
This vulnerability can impact users by allowing attackers to execute malicious JavaScript in their browsers when they upload files with specially crafted filenames.
Such reflected XSS attacks can lead to the theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected user's browser.
However, the CVSS score is relatively low (3.1), indicating that the attack requires user interaction and has limited impact on confidentiality, integrity, and availability.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed in Stirling-PDF version 2.0.0. Immediate mitigation involves upgrading the application to version 2.0.0 or later.
Since the issue is caused by unsafe rendering of user-supplied filenames into HTML without sanitization, another mitigation step is to avoid using unsafe methods like innerHTML to render filenames or to implement proper sanitization of filenames before rendering.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Stirling-PDF allows reflected cross-site scripting (XSS) via unsafe rendering of user-supplied filenames in HTML. This could potentially expose users to malicious scripts executing in their browsers.
While the CVE description does not explicitly mention compliance impacts, reflected XSS vulnerabilities can lead to unauthorized access to user data or session information, which may affect compliance with data protection regulations such as GDPR or HIPAA that require safeguarding personal and sensitive information.
However, since the vulnerability has a low CVSS score (3.1) and requires user interaction, the direct impact on compliance depends on the context of use and data handled by the application.