CVE-2026-27625
Published: 20 March 2026
Summary
CVE-2026-27625 is a high-severity Path Traversal (CWE-22) vulnerability in Stirling Stirling Pdf. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the lack of path validation during ZIP extraction by requiring input validation at critical endpoints like the markdown-to-PDF API to block path traversal payloads.
Mitigates the vulnerability comprehensively by identifying, reporting, and applying vendor patches such as Stirling-PDF v2.5.2 that fix the ZIP path traversal flaw.
Limits the impact of arbitrary file writes by enforcing least privilege for the Stirling-PDF process user, restricting writable paths outside the temporary directory.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE describes remote exploitation of a network-accessible web app endpoint via crafted ZIP to achieve arbitrary file overwrite outside intended paths, directly enabling T1190 and facilitating stored data manipulation (integrity impact) via T1565.001.
NVD Description
Stirling-PDF is a locally hosted web application that performs various operations on PDF files. In versions prior to 2.5.2, the /api/v1/convert/markdown/pdf endpoint extracts user-supplied ZIP entries without path checks. Any authenticated user can write files outside the intended temporary working…
more
directory, leading to arbitrary file write with the privileges of the Stirling-PDF process user (stirlingpdfuser). This can overwrite writable files and compromise data integrity, with further impact depending on writable paths. The issue was fixed in version 2.5.2.
Deeper analysisAI
CVE-2026-27625 is a path traversal vulnerability (CWE-22, CWE-23) in Stirling-PDF, a locally hosted web application for performing operations on PDF files. In versions prior to 2.5.2, the /api/v1/convert/markdown/pdf endpoint processes user-supplied ZIP archives without validating extraction paths. This allows attackers to write files arbitrarily outside the intended temporary working directory using the privileges of the Stirling-PDF process user (stirlingpdfuser). The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H).
Authenticated users can exploit this remotely by submitting a crafted ZIP file to the vulnerable endpoint, bypassing path restrictions during extraction. Successful exploitation enables overwriting any writable files accessible to the stirlingpdfuser, directly compromising data integrity. The extent of further impact depends on the writable paths available to the process, potentially escalating to service disruption or broader system compromise.
The vulnerability was fixed in Stirling-PDF version 2.5.2 by adding proper path validation during ZIP extraction. Security practitioners should upgrade to version 2.5.2 or later to mitigate the issue. Additional details are available in the release notes at https://github.com/Stirling-Tools/Stirling-PDF/releases/tag/v2.5.2 and the GitHub security advisory at https://github.com/Stirling-Tools/Stirling-PDF/security/advisories/GHSA-wccq-mg6x-2w22.
Details
- CWE(s)