{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27625", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-20T22:02:30.027Z", "datePublished": "2026-03-20T08:44:24.942Z", "dateUpdated": "2026-03-20T15:37:16.038Z"}, "containers": {"cna": {"title": "Stirling-PDF Zip Slip: Arbitrary File Write via Path Traversal in Markdown-to-PDF ZIP Extraction", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-23", "lang": "en", "description": "CWE-23: Relative Path Traversal", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/Stirling-Tools/Stirling-PDF/security/advisories/GHSA-wccq-mg6x-2w22", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Stirling-Tools/Stirling-PDF/security/advisories/GHSA-wccq-mg6x-2w22"}, {"name": "https://github.com/Stirling-Tools/Stirling-PDF/releases/tag/v2.5.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/Stirling-Tools/Stirling-PDF/releases/tag/v2.5.2"}], "affected": [{"vendor": "Stirling-Tools", "product": "Stirling-PDF", "versions": [{"version": "< 2.5.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T08:44:24.942Z"}, "descriptions": [{"lang": "en", "value": "Stirling-PDF is a locally hosted web application that performs various operations on PDF files. In versions prior to 2.5.2, the /api/v1/convert/markdown/pdf endpoint extracts user-supplied ZIP entries without path checks. Any authenticated user can write files outside the intended temporary working directory, leading to arbitrary file write with the privileges of the Stirling-PDF process user (stirlingpdfuser). This can overwrite writable files and compromise data integrity, with further impact depending on writable paths. The issue was fixed in version 2.5.2."}], "source": {"advisory": "GHSA-wccq-mg6x-2w22", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T15:36:55.042694Z", "id": "CVE-2026-27625", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T15:37:16.038Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27625", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T15:36:55.042694Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T15:37:11.873Z"}}], "cna": {"title": "Stirling-PDF Zip Slip: Arbitrary File Write via Path Traversal in Markdown-to-PDF ZIP Extraction", "source": {"advisory": "GHSA-wccq-mg6x-2w22", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "Stirling-Tools", "product": "Stirling-PDF", "versions": [{"status": "affected", "version": "< 2.5.2"}]}], "references": [{"url": "https://github.com/Stirling-Tools/Stirling-PDF/security/advisories/GHSA-wccq-mg6x-2w22", "name": "https://github.com/Stirling-Tools/Stirling-PDF/security/advisories/GHSA-wccq-mg6x-2w22", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Stirling-Tools/Stirling-PDF/releases/tag/v2.5.2", "name": "https://github.com/Stirling-Tools/Stirling-PDF/releases/tag/v2.5.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Stirling-PDF is a locally hosted web application that performs various operations on PDF files. In versions prior to 2.5.2, the /api/v1/convert/markdown/pdf endpoint extracts user-supplied ZIP entries without path checks. Any authenticated user can write files outside the intended temporary working directory, leading to arbitrary file write with the privileges of the Stirling-PDF process user (stirlingpdfuser). This can overwrite writable files and compromise data integrity, with further impact depending on writable paths. The issue was fixed in version 2.5.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-23", "description": "CWE-23: Relative Path Traversal"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T08:44:24.942Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27625", "state": "PUBLISHED", "dateUpdated": "2026-03-20T15:37:16.038Z", "dateReserved": "2026-02-20T22:02:30.027Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T08:44:24.942Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:stirling:stirling_pdf:*:*:*:*:*:*:*:*", "matchCriteriaId": "EE82913D-A442-4C18-847F-741630FC4CD0", "versionEndExcluding": "2.5.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Stirling-PDF is a locally hosted web application that performs various operations on PDF files. In versions prior to 2.5.2, the /api/v1/convert/markdown/pdf endpoint extracts user-supplied ZIP entries without path checks. Any authenticated user can write files outside the intended temporary working directory, leading to arbitrary file write with the privileges of the Stirling-PDF process user (stirlingpdfuser). This can overwrite writable files and compromise data integrity, with further impact depending on writable paths. The issue was fixed in version 2.5.2."}, {"lang": "es", "value": "Stirling-PDF es una aplicaci\u00f3n web alojada localmente que realiza diversas operaciones en archivos PDF. En versiones anteriores a la 2.5.2, el endpoint /API/v1/convert/markdown/pdf extrae entradas ZIP proporcionadas por el usuario sin comprobaciones de ruta. Cualquier usuario autenticado puede escribir archivos fuera del directorio de trabajo temporal previsto, lo que lleva a la escritura arbitraria de archivos con los privilegios del usuario del proceso de Stirling-PDF (stirlingpdfuser). Esto puede sobrescribir archivos escribibles y comprometer la integridad de los datos, con un impacto adicional dependiendo de las rutas escribibles. El problema se solucion\u00f3 en la versi\u00f3n 2.5.2."}], "id": "CVE-2026-27625", "lastModified": "2026-03-24T16:03:23.303", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-20T09:16:13.857", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Product"], "url": "https://github.com/Stirling-Tools/Stirling-PDF/releases/tag/v2.5.2"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/Stirling-Tools/Stirling-PDF/security/advisories/GHSA-wccq-mg6x-2w22"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-23"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.5.2)"}}], "enrichment": {"confidence": 82.0, "confidence_source": "matching", "scores": [{"score": 82.0, "source": "matching"}]}, "original": {"product": "Stirling-PDF", "source": "cna", "vendor": "Stirling-Tools"}, "product": "stirling_pdf", "vendor": "stirlingpdf"}], "analysis": {"en": {"generated_at": "2026-03-24T17:28:08.169252+00:00", "value": {"mitigation_remediation": ["Upgrade Stirling\u2011PDF to version 2.5.2 or later."], "summary": {"action": "Patch", "impact": "Arbitrary File Write"}, "threat_synthesis": {"affected_systems": "Stirling\u2011Tools: Stirling\u2011PDF versions earlier than 2.5.2 are affected. The vulnerability exists in the locally hosted web application\u2019s API endpoint /api/v1/convert/markdown/pdf.", "description_and_impact": "An authenticated user can submit a ZIP file to the Markdown\u2011to\u2011PDF conversion endpoint. The application extracts ZIP entries without validating their paths, allowing a path traversal exploit that writes files outside the intended temporary directory. This gives the process user the ability to overwrite any writable file, compromising data integrity and potentially enabling further escalation depending on the target files.", "risk_and_exploitability": "The CVSS score of 8.1 indicates a high severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in CISA's KEV catalog. Exploitation requires authentication and access to the API, making it an authenticated local or network\u2011based attack. After patching to version 2.5.2, the path validation is restored, eliminating this vector."}}}}, "created": "2026-03-20T10:36:31.143778+00:00", "updated": "2026-03-25T14:29:47.612401+00:00", "vendors": ["stirlingpdf", "stirlingpdf$PRODUCT$stirling_pdf"]}