Description

Stirling-PDF is a locally hosted web application that performs various operations on PDF files. In versions prior to 2.5.2, the /api/v1/convert/markdown/pdf endpoint extracts user-supplied ZIP entries without path checks. Any authenticated user can write files outside the intended temporary working directory, leading to arbitrary file write with the privileges of the Stirling-PDF process user (stirlingpdfuser). This can overwrite writable files and compromise data integrity, with further impact depending on writable paths. The issue was fixed in version 2.5.2.

INFO

Published Date :

2026-03-20T08:44:24.942Z

Last Modified :

2026-03-20T08:44:24.942Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-27625 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-27625.

URL Resource
https://github.com/Stirling-Tools/Stirling-PDF/releases/tag/v2.5.2 cve-icon cve-icon
https://github.com/Stirling-Tools/Stirling-PDF/security/advisories/GHSA-wccq-mg6x-2w22 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact