GHSA-jjwr-xmw6-gf78 · Severity: medium · Ecosystem: maven — Apache PDFBox has Path Traversal through PDComplexFileSpecification.getFilename() function
This issue affects the ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.35, from 3.0.0 through 3.0.6. The ExtractEmbeddedFiles example contains a path traversal vulnerability (CWE-22) because the filename that is obtained from PDComplexFileSpecification.getFilename() is appended to the extraction path. Users who have copied this example into their production code should review it to ensure that the extraction path is acceptable. The example has been changed accordingly, now the initial path and the extraction paths are converted into canonical paths and it is verified that extraction path contains the initial path. The documentation has also been adjusted.
Conclusion & alert: CVE-2026-23907 is rated Low Risk (25.8/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.04%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-05-05 | 0.05% | 0.04% | -0.01% |
| 2 | 2026-03-16 | 0.02% | 0.05% | +0.03% |
| 3 | 2026-03-10 | — | 0.02% | — |
Full EPSS history (3 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 5.3 | 3.1 | MEDIUM |
|
3.9 | 1.4 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
GHSA-jjwr-xmw6-gf78 · Severity: medium · Ecosystem: maven — Apache PDFBox has Path Traversal through PDComplexFileSpecification.getFilename() function
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
unimportant | CVE-2026-23907 unimportant priority: Debian including 2 source packages (libpdfbox-java, libpdfbox2-java), 10 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): open 10. | https://security-tracker.debian.org/tracker/CVE-2026-23907 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2026-23907 |
suse
|
medium | CVE-2026-23907 severity moderate: SUSE including 2 source package names (apache-pdfbox, apache-pdfbox-javadoc), 18 product×package rows across 15 product lines (SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS, SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS, … (15 product lines)): Known Not Affected 18. | https://www.suse.com/security/cve/CVE-2026-23907/ |
ubuntu
|
medium | CVE-2026-23907 medium priority: Ubuntu including 2 source packages (libpdfbox-java, libpdfbox2-java), 13 status rows across 7 suites (bionic, focal, jammy, noble, questing, upstream, xenial): needs-triage 13. | https://ubuntu.com/security/CVE-2026-23907 |
| URL | Tags |
|---|---|
| https://github.com/JoakimBulow/ | Not Applicable |
| https://lists.apache.org/thread/gyfq5tcrxfv7rx0z2yyx4hb3h53ndffw | Mailing List Vendor Advisory |
| http://www.openwall.com/lists/oss-security/2026/03/10/1 | Mailing List Third Party Advisory |