CVE-2026-40505

LOW

MuPDF mutool ANSI Injection via Metadata

Title source: cna

Description

MuPDF before 1.27 contains an ANSI injection vulnerability in mutool that allows attackers to inject arbitrary ANSI escape sequences through crafted PDF metadata fields. Attackers can embed malicious ANSI escape codes in PDF metadata that are passed unsanitized to terminal output when running mutool info, enabling them to manipulate terminal display for social engineering attacks such as presenting fake prompts or spoofed commands.

References (4)

[Patch] https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=0f17d789fe8c29b41e47663be82514aaca3a4dfb

[Third Party Advisory] https://www.vulncheck.com/advisories/mupdf-mutool-ansi-injection-via-metadata

[Release Notes] https://github.com/ArtifexSoftware/mupdf/releases/tag/1.27.0

[Patch] https://github.com/ArtifexSoftware/mupdf/commit/0f17d789fe8c29b41e47663be82514aaca3a4dfb

View Patch ZIP pw:eip

Scores

CVSS v3 3.3

EPSS 0.0000

EPSS Percentile 0.2%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Details

CWE

CWE-150

Status published

Products (3)

Artifex Software Inc./MuPDF < 0f17d789fe8c29b41e47663be82514aaca3a4dfb

Artifex Software Inc./MuPDF < 1.27.0

Artifex Software Inc./MuPDF 0f17d789fe8c29b41e47663be82514aaca3a4dfb

Published Apr 16, 2026

Tracked Since Apr 16, 2026