Path Traversal in Stirling-tools Stirling-pdf
CVE-2026-27625
Stirling-PDF is a locally hosted web application that performs various operations on PDF files. In versions prior to 2.5.2, the /api/v1/convert/markdown/pdf endpoint extracts user-supplied ZIP entries without path checks. Any authenticated…
Vulnerability class: Path Traversal (Directory Traversal)
EPSS: 0.000 (6.5th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 8.1 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H.
Affected products
- Stirling-tools Stirling-pdf — versions < 2.5.2
Weakness classification (CWE)
References
- https://github.com/Stirling-Tools/Stirling-PDF/security/advisories/GHSA-wccq-mg6x-2w22 (x_refsource_CONFIRM)
- https://github.com/Stirling-Tools/Stirling-PDF/releases/tag/v2.5.2 (x_refsource_MISC)
Frequently asked questions
- What is CVE-2026-27625?
- CVE-2026-27625 is a high-severity vulnerability in Stirling-tools Stirling-pdf, classified under Path Traversal. CVSS score: 8.1/10. Published 2026-03-20.
- How severe is CVE-2026-27625?
- High severity. CVSS v3 base score is 8.1 out of 10.