{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-13T15:48:05.447","vulnerabilities":[{"cve":{"id":"CVE-2026-23907","sourceIdentifier":"security@apache.org","published":"2026-03-10T18:18:16.960","lastModified":"2026-03-13T16:45:28.490","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"This issue affects the \nExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.35, from 3.0.0 through 3.0.6.\n\n\nThe ExtractEmbeddedFiles example contains a path traversal vulnerability (CWE-22) because \nthe filename that is obtained from \nPDComplexFileSpecification.getFilename() is appended to the extraction path.\n\nUsers who have copied this example into their production code should \nreview it to ensure that the extraction path is acceptable. The example \nhas been changed accordingly, now the initial path and the extraction \npaths are converted into canonical paths and it is verified that \nextraction path contains the initial path. The documentation has also \nbeen adjusted."},{"lang":"es","value":"Este problema afecta al ejemplo ExtractEmbeddedFiles en Apache PDFBox: desde 2.0.24 hasta 2.0.35, desde 3.0.0 hasta 3.0.6.\n\nEl ejemplo ExtractEmbeddedFiles contiene una vulnerabilidad de salto de ruta (CWE-22) porque el nombre de archivo que se obtiene de PDComplexFileSpecification.getFilename() se añade a la ruta de extracción.\n\nLos usuarios que han copiado este ejemplo en su código de producción deberían revisarlo para asegurarse de que la ruta de extracción es aceptable. El ejemplo ha sido modificado en consecuencia, ahora la ruta inicial y las rutas de extracción se convierten en rutas canónicas y se verifica que la ruta de extracción contiene la ruta inicial. La documentación también ha sido ajustada."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":1.4}]},"weaknesses":[{"source":"security@apache.org","type":"Primary","description":[{"lang":"en","value":"CWE-22"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:pdfbox:*:*:*:*:*:*:*:*","versionStartIncluding":"2.0.24","versionEndIncluding":"2.0.35","matchCriteriaId":"1C68269E-0203-4CC0-A46A-79EE0707D72B"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:pdfbox:*:*:*:*:*:*:*:*","versionStartIncluding":"3.0.0","versionEndIncluding":"3.0.7","matchCriteriaId":"0C8FF3B3-3A97-4F50-BCDE-8EEA175F4C61"}]}]}],"references":[{"url":"https://github.com/JoakimBulow/","source":"security@apache.org","tags":["Not Applicable"]},{"url":"https://lists.apache.org/thread/gyfq5tcrxfv7rx0z2yyx4hb3h53ndffw","source":"security@apache.org","tags":["Mailing List","Vendor Advisory"]},{"url":"http://www.openwall.com/lists/oss-security/2026/03/10/1","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"]}]}}]}