CVE-2026-33436
Received Received - Intake
Reflected XSS in Stirling-PDF Upload Endpoints Before

Publication date: 2026-04-17

Last updated on: 2026-04-20

Assigner: GitHub, Inc.

Description
Stirling-PDF is a locally hosted web application that facilitates various operations on PDF files. In versions prior to 2.0.0, file upload endpoints render user-supplied filenames directly into HTML using unsafe methods like innerHTML without sanitization. An attacker can craft a file with a malicious filename containing JavaScript that executes in the uploading user's browser context, resulting in reflected XSS. The issue affects numerous upload endpoints across the application. The issue has been fixed in version 2.0.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-17
Last Modified
2026-04-20
Generated
2026-06-16
AI Q&A
2026-04-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33436
EUVD
EUVD-2026-23513
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
stirling_pdf stirling_pdf to 2.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in Stirling-PDF allows reflected cross-site scripting (XSS) via unsafe rendering of user-supplied filenames in HTML. This could potentially expose users to malicious scripts executing in their browsers.

While the CVE description does not explicitly mention compliance impacts, reflected XSS vulnerabilities can lead to unauthorized access to user data or session information, which may affect compliance with data protection regulations such as GDPR or HIPAA that require safeguarding personal and sensitive information.

However, since the vulnerability has a low CVSS score (3.1) and requires user interaction, the direct impact on compliance depends on the context of use and data handled by the application.

Executive Summary

This vulnerability exists in Stirling-PDF versions prior to 2.0.0, where file upload endpoints render user-supplied filenames directly into HTML using unsafe methods like innerHTML without sanitization.

An attacker can exploit this by crafting a file with a malicious filename containing JavaScript code that executes in the browser of the user uploading the file, resulting in reflected Cross-Site Scripting (XSS).

The issue affects multiple upload endpoints across the application and has been fixed in version 2.0.0.

Impact Analysis

This vulnerability can impact users by allowing attackers to execute malicious JavaScript in their browsers when they upload files with specially crafted filenames.

Such reflected XSS attacks can lead to the theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected user's browser.

However, the CVSS score is relatively low (3.1), indicating that the attack requires user interaction and has limited impact on confidentiality, integrity, and availability.

Mitigation Strategies

The vulnerability is fixed in Stirling-PDF version 2.0.0. Immediate mitigation involves upgrading the application to version 2.0.0 or later.

Since the issue is caused by unsafe rendering of user-supplied filenames into HTML without sanitization, another mitigation step is to avoid using unsafe methods like innerHTML to render filenames or to implement proper sanitization of filenames before rendering.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33436. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart