{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27625", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-20T22:02:30.027Z", "datePublished": "2026-03-20T08:44:24.942Z", "dateUpdated": "2026-03-20T08:44:24.942Z"}, "containers": {"cna": {"title": "Stirling-PDF Zip Slip: Arbitrary File Write via Path Traversal in Markdown-to-PDF ZIP Extraction", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-23", "lang": "en", "description": "CWE-23: Relative Path Traversal", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/Stirling-Tools/Stirling-PDF/security/advisories/GHSA-wccq-mg6x-2w22", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Stirling-Tools/Stirling-PDF/security/advisories/GHSA-wccq-mg6x-2w22"}, {"name": "https://github.com/Stirling-Tools/Stirling-PDF/releases/tag/v2.5.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/Stirling-Tools/Stirling-PDF/releases/tag/v2.5.2"}], "affected": [{"vendor": "Stirling-Tools", "product": "Stirling-PDF", "versions": [{"version": "< 2.5.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T08:44:24.942Z"}, "descriptions": [{"lang": "en", "value": "Stirling-PDF is a locally hosted web application that performs various operations on PDF files. In versions prior to 2.5.2, the /api/v1/convert/markdown/pdf endpoint extracts user-supplied ZIP entries without path checks. Any authenticated user can write files outside the intended temporary working directory, leading to arbitrary file write with the privileges of the Stirling-PDF process user (stirlingpdfuser). This can overwrite writable files and compromise data integrity, with further impact depending on writable paths. The issue was fixed in version 2.5.2."}], "source": {"advisory": "GHSA-wccq-mg6x-2w22", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Stirling-PDF is a locally hosted web application that performs various operations on PDF files. In versions prior to 2.5.2, the /api/v1/convert/markdown/pdf endpoint extracts user-supplied ZIP entries without path checks. Any authenticated user can write files outside the intended temporary working directory, leading to arbitrary file write with the privileges of the Stirling-PDF process user (stirlingpdfuser). This can overwrite writable files and compromise data integrity, with further impact depending on writable paths. The issue was fixed in version 2.5.2."}], "id": "CVE-2026-27625", "lastModified": "2026-03-20T09:16:13.857", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T09:16:13.857", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/Stirling-Tools/Stirling-PDF/releases/tag/v2.5.2"}, {"source": "security-advisories@github.com", "url": "https://github.com/Stirling-Tools/Stirling-PDF/security/advisories/GHSA-wccq-mg6x-2w22"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-23"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-20T10:22:55.869289+00:00", "value": {"mitigation_remediation": ["Upgrade to Stirling\u2011PDF version 2.5.2 or later."], "summary": {"action": "Apply Patch", "impact": "Arbitrary File Write"}, "threat_synthesis": {"affected_systems": "Stirling\u2011Tools\u2019 Stirling\u2011PDF versions earlier than v2.5.2 are affected. The issue was addressed in the release tagged v2.5.2, as noted in the vendor\u2019s GitHub release page. All instances of the offending /api/v1/convert/markdown/pdf endpoint in these versions run without path enforcement.", "description_and_impact": "The vulnerability in Stirling\u2011PDF allows a locally authenticated user to upload a ZIP file via the /api/v1/convert/markdown/pdf endpoint that is extracted without any path validation. Because the ZIP extraction does not check for path traversal characters, an attacker can create entries that reference files outside the intended temporary directory, resulting in arbitrary file writes with the privileges of the Stirling\u2011PDF process user. This can overwrite existing writable files or create new ones, leading to integrity compromise of the host system and potentially allowing further local privilege escalation depending on the writable paths targeted.", "risk_and_exploitability": "The CVSS score is 8.1, indicating high severity. The exploit probability (EPSS) is not reported, and the vulnerability is not listed in the CISA KEV catalogue. An attacker only needs authenticated access to the web application; by sending a crafted ZIP containing traversal entries, they can cause the application to write arbitrary files with the process user\u2019s permissions. This makes the vulnerability exploitable in environments where the Stirling\u2011PDF process runs with elevated or otherwise sensitive privileges."}}}}, "created": "2026-03-20T10:36:31.143778+00:00", "updated": "2026-03-20T10:36:31.143808+00:00", "vendors": []}