Path Traversal in Apache Software Foundation Pdfbox Examples

CVE-2026-23907

This issue affects the ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.35, from 3.0.0 through 3.0.6. The ExtractEmbeddedFiles example contains a path traversal vulnerability (CWE-22) because the filename that is…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.000 (15.0th percentile) — read the EPSS interpretation.

Affected products

Apache Software Foundation Pdfbox Examples — versions 2.0.24, 3.0.0

Weakness classification (CWE)

CWE-22 — Path Traversal

References

github.com/JoakimBulow/
lists.apache.org/thread/gyfq5tcrxfv7rx0z2yyx4hb3h53ndffw (vendor-advisory)