References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Change History

http://www.openwall.com/lists/oss-security/2026/03/10/1

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

This issue affects the 
ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.35, from 3.0.0 through 3.0.6.


The ExtractEmbeddedFiles example contains a path traversal vulnerability (CWE-22) because 
the filename that is obtained from 
PDComplexFileSpecification.getFilename() is appended to the extraction path.

Users who have copied this example into their production code should 
review it to ensure that the extraction path is acceptable. The example 
has been changed accordingly, now the initial path and the extraction 
paths are converted into canonical paths and it is verified that 
extraction path contains the initial path. The documentation has also 
been adjusted.

CWE-22

https://github.com/JoakimBulow/

https://lists.apache.org/thread/gyfq5tcrxfv7rx0z2yyx4hb3h53ndffw