Cyber Resilience

CVE-2026-27625

HighPublic PoC

Published: 20 March 2026

Published
20 March 2026
Modified
24 March 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0046 36.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-27625 is a high-severity Path Traversal (CWE-22) vulnerability in Stirling Stirling Pdf. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-27625 is a path traversal vulnerability (CWE-22, CWE-23) in Stirling-PDF, a locally hosted web application for performing operations on PDF files. In versions prior to 2.5.2, the /api/v1/convert/markdown/pdf endpoint processes user-supplied ZIP archives without validating extraction paths. This allows attackers to write files arbitrarily outside the intended temporary working directory using the privileges of the Stirling-PDF process user (stirlingpdfuser). The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H).

Authenticated users can exploit this remotely by submitting a crafted ZIP file to the vulnerable endpoint, bypassing path restrictions during extraction. Successful exploitation enables overwriting any writable files accessible to the stirlingpdfuser, directly compromising data integrity. The extent of further impact depends on the writable paths available to the process, potentially escalating to service disruption or broader system compromise.

The vulnerability was fixed in Stirling-PDF version 2.5.2 by adding proper path validation during ZIP extraction. Security practitioners should upgrade to version 2.5.2 or later to mitigate the issue. Additional details are available in the release notes at https://github.com/Stirling-Tools/Stirling-PDF/releases/tag/v2.5.2 and the GitHub security advisory at https://github.com/Stirling-Tools/Stirling-PDF/security/advisories/GHSA-wccq-mg6x-2w22.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Stirling-PDF is a locally hosted web application that performs various operations on PDF files. In versions prior to 2.5.2, the /api/v1/convert/markdown/pdf endpoint extracts user-supplied ZIP entries without path checks. Any authenticated user can write files outside the intended temporary working…

more

directory, leading to arbitrary file write with the privileges of the Stirling-PDF process user (stirlingpdfuser). This can overwrite writable files and compromise data integrity, with further impact depending on writable paths. The issue was fixed in version 2.5.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

CVE describes remote exploitation of a network-accessible web app endpoint via crafted ZIP to achieve arbitrary file overwrite outside intended paths, directly enabling T1190 and facilitating stored data manipulation (integrity impact) via T1565.001.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-40518Shared CWE-22
CVE-2025-1785Shared CWE-22
CVE-2026-29778Shared CWE-23
CVE-2026-32274Shared CWE-22
CVE-2024-54461Shared CWE-22, CWE-23
CVE-2026-21659Shared CWE-22, CWE-23
CVE-2025-29789Shared CWE-22, CWE-23
CVE-2025-27410Shared CWE-22, CWE-23
CVE-2026-22070Shared CWE-22, CWE-23
CVE-2026-27202Shared CWE-22, CWE-23

Affected Assets

stirling
stirling pdf
≤ 2.5.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the lack of path validation during ZIP extraction by requiring input validation at critical endpoints like the markdown-to-PDF API to block path traversal payloads.

prevent

Mitigates the vulnerability comprehensively by identifying, reporting, and applying vendor patches such as Stirling-PDF v2.5.2 that fix the ZIP path traversal flaw.

prevent

Limits the impact of arbitrary file writes by enforcing least privilege for the Stirling-PDF process user, restricting writable paths outside the temporary directory.

References