CVE-2026-23907

CWE-22 — Path Traversal8 documents7 sources

Severity

5.3MEDIUM

EPSS

0.1%

top 81.55%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Pdfbox Examples Apache Pdfbox

Timeline

PublishedMar 10

Description

This issue affects the ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.35, from 3.0.0 through 3.0.6. The ExtractEmbeddedFiles example contains a path traversal vulnerability (CWE-22) because the filename that is obtained from PDComplexFileSpecification.getFilename() is appended to the extraction path. Users who have copied this example into their production code should review it to ensure that the extraction path is acceptable. The example has been changed accordingly, …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶Mavenorg.apache.pdfbox:pdfbox-examples2.0.24 — 3.0.7

▶CVEListV5apache_software_foundation/apache_pdfbox_examples2.0.24 — 2.0.35+1

▶NVDapache/pdfbox2.0.24 — 2.0.35+1

🔴Vulnerability Details

OSV

CVE-2026-23907: This issue affects the ExtractEmbeddedFiles example in Apache PDFBox: from 2↗2026-03-10

▶

GHSA

Apache PDFBox has Path Traversal through PDComplexFileSpecification.getFilename() function↗2026-03-10

▶

CVEList

Apache PDFBox Examples: Path Traversal in PDFBox ExtractEmbeddedFiles Example Code↗2026-03-10

▶

OSV

Apache PDFBox has Path Traversal through PDComplexFileSpecification.getFilename() function↗2026-03-10

▶

📋Vendor Advisories

Red Hat

org.apache.pdfbox:pdfbox-examples: Apache PDFBox Example: Path Traversal via specially crafted filenames allows arbitrary file write↗2026-03-10

▶

Debian

CVE-2026-23907: libpdfbox-java - This issue affects the ExtractEmbeddedFiles example in Apache PDFBox: from 2.0....↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-23907 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶