CVE-2026-40505Improper Neutralization of Escape, Meta, or Control Sequences in Software INC Mupdf

CWE-150Improper Neutralization of Escape, Meta, or Control Sequences5 documents5 sources
Severity
4.8MEDIUMNVD
EPSS
0.0%
top 98.15%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Artifex Software INC Mupdf
Timeline
PublishedApr 16

Description

MuPDF mutool does not sanitize PDF metadata fields before writing them to terminal output, allowing attackers to inject arbitrary ANSI escape sequences through crafted PDF metadata. Attackers can embed malicious ANSI escape codes in PDF metadata that are passed unsanitized to the terminal when running mutool info, enabling them to clear the terminal display and render arbitrary text for social engineering attacks such as presenting fake prompts or spoofed commands.

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages1 packages

CVEListV5artifex_software_inc/mupdf< 0f17d789fe8c29b41e47663be82514aaca3a4dfb

🔴Vulnerability Details

3
VulDB
Artifex MuPDF control sequence2026-04-16
GHSA
GHSA-hj44-m5xv-x75q: MuPDF mutool does not sanitize PDF metadata fields before writing them to terminal output, allowing attackers to inject arbitrary ANSI escape sequence2026-04-16
CVEList
MuPDF mutool ANSI Injection via Metadata2026-04-16

💬Community

1
Bugzilla
CVE-2026-40505 MuPDF: MuPDF mutool: Terminal manipulation through unsanitized PDF metadata2026-04-16
CVE-2026-40505 — Software INC Mupdf vulnerability | cvebase