CVE-2026-27625
HIGHStirling-PDF Zip Slip: Arbitrary File Write via Path Traversal in Markdown-to-PDF ZIP Extraction
Title source: cnaDescription
Stirling-PDF is a locally hosted web application that performs various operations on PDF files. In versions prior to 2.5.2, the /api/v1/convert/markdown/pdf endpoint extracts user-supplied ZIP entries without path checks. Any authenticated user can write files outside the intended temporary working directory, leading to arbitrary file write with the privileges of the Stirling-PDF process user (stirlingpdfuser). This can overwrite writable files and compromise data integrity, with further impact depending on writable paths. The issue was fixed in version 2.5.2.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/Stirling-Tools/Stirling-PDF/security/advisories/GHSA-wccq-mg6x-2w22
X_Refsource_Misc x_refsource_misc
https://github.com/Stirling-Tools/Stirling-PDF/releases/tag/v2.5.2
Scores
CVSS v3
8.1
EPSS
0.0046
EPSS Percentile
36.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-22
CWE-23
Status
published
Products (2)
stirling/stirling_pdf
< 2.5.2
Stirling-Tools/Stirling-PDF
< 2.5.2
Published
Mar 20, 2026
Tracked Since
Mar 20, 2026