CVE-2026-40505
published 2026-04-16CVE-2026-40505: MuPDF before 1.27 contains an ANSI injection vulnerability in mutool that allows attackers to inject arbitrary ANSI escape sequences through crafted PDF…
PriorityP415low3.3CVSS 3.1
AVLACLPRNUIRSUCNILAN
EPSS
0.17%
6.2th percentile
MuPDF before 1.27 contains an ANSI injection vulnerability in mutool that allows attackers to inject arbitrary ANSI escape sequences through crafted PDF metadata fields. Attackers can embed malicious ANSI escape codes in PDF metadata that are passed unsanitized to terminal output when running mutool info, enabling them to manipulate terminal display for social engineering attacks such as presenting fake prompts or spoofed commands.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| artifex | mupdf | < 1.27.0 | 1.27.0 |
| artifex_software_inc | mupdf | < 1.27.0 | 1.27.0 |
| artifex_software_inc | mupdf | — | — |
CVSS provenance
nvdv3.13.3LOWCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
nvdv4.04.8MEDIUMCVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Artifex MuPDF control sequence
vuldb·2026-04-16·CVSS 4.8
CVE-2026-40505 [MEDIUM] Artifex MuPDF control sequence
A vulnerability identified as problematic has been detected in Artifex MuPDF. Affected by this vulnerability is an unknown functionality of the component PDF Handler. The manipulation leads to improper neutralization of escape, meta, or control sequences.
This vulnerability is listed as CVE-2026-40505. The attack may be initiated remotely. There is no available exploit.
It is recommended to apply a patch to fix this issue.
GHSA
GHSA-hj44-m5xv-x75q: MuPDF mutool does not sanitize PDF metadata fields before writing them to terminal output, allowing attackers to inject arbitrary ANSI escape sequence
ghsa_unreviewed·2026-04-16
CVE-2026-40505 [MEDIUM] CWE-150 GHSA-hj44-m5xv-x75q: MuPDF mutool does not sanitize PDF metadata fields before writing them to terminal output, allowing attackers to inject arbitrary ANSI escape sequence
MuPDF mutool does not sanitize PDF metadata fields before writing them to terminal output, allowing attackers to inject arbitrary ANSI escape sequences through crafted PDF metadata. Attackers can embed malicious ANSI escape codes in PDF metadata that are passed unsanitized to the terminal when running mutool info, enabling them to clear the terminal display and render arbitrary text for social engineering attacks such as presenting fake prompts or spoofed commands.
No detection rules found.
No public exploits indexed.
https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=0f17d789fe8c29b41e47663be82514aaca3a4dfbhttps://github.com/ArtifexSoftware/mupdf/commit/0f17d789fe8c29b41e47663be82514aaca3a4dfbhttps://github.com/ArtifexSoftware/mupdf/releases/tag/1.27.0https://www.vulncheck.com/advisories/mupdf-mutool-ansi-injection-via-metadata
2026-04-16
Published