CVE-2026-27625

Stirling-PDF Zip Slip: Arbitrary File Write via Path Traversal in Markdown-to-PDF ZIP Extraction

Assigner: GitHub_M
Reserved: 20.02.2026 Published: 20.03.2026 Updated: 20.03.2026

Stirling-PDF is a locally hosted web application that performs various operations on PDF files. In versions prior to 2.5.2, the /api/v1/convert/markdown/pdf endpoint extracts user-supplied ZIP entries without path checks. Any authenticated user can write files outside the intended temporary working directory, leading to arbitrary file write with the privileges of the Stirling-PDF process user (stirlingpdfuser). This can overwrite writable files and compromise data integrity, with further impact depending on writable paths. The issue was fixed in version 2.5.2.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
CVSS Score: 8.1

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Stirling-Tools
Product	Stirling-PDF
Versions	Version < 2.5.2 is affected

Vendor

Stirling-Tools

Product

Stirling-PDF

Versions

Version < 2.5.2 is affected

References

Problem Types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE
CWE-23: Relative Path Traversal CWE

CVE-2026-27625 PUBLISHED

Stirling-PDF Zip Slip: Arbitrary File Write via Path Traversal in Markdown-to-PDF ZIP Extraction

Metrics

Product Status

References

Problem Types