CVE-2026-41580 in Stirling-PDF
Summary
by MITRE • 07/15/2026
Stirling-PDF is a locally hosted web application that facilitates various operations on PDF files. Prior to 2.0.0, Stirling-PDF's /get-info-on-pdf endpoint rendered PDF Title and Author metadata fields without proper HTML encoding or sanitization, allowing a crafted PDF to execute attacker-controlled JavaScript in the browser of a user who views the resulting page. This issue is fixed in version 2.0.0.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/15/2026
The Stirling-PDF application presents a significant cross-site scripting vulnerability through its /get-info-on-pdf endpoint that existed prior to version 2.0.0. This vulnerability stems from inadequate input sanitization of PDF metadata fields, specifically the Title and Author fields that are directly rendered in the web interface without proper HTML encoding. The flaw represents a classic server-side template injection issue where user-supplied data flows directly into the HTML output stream without appropriate sanitization measures. Attackers can craft malicious PDF files containing specially formatted metadata fields that when processed by the application, inject malicious JavaScript code into the rendered HTML page.
The technical implementation of this vulnerability aligns with CWE-79 Cross-Site Scripting and follows patterns consistent with ATT&CK technique T1203 Exploitation for Client Execution. When a victim user accesses the PDF information page, the browser executes the injected JavaScript within the context of the application's domain, potentially enabling attackers to steal session cookies, perform actions on behalf of authenticated users, or redirect victims to malicious sites. The vulnerability is particularly concerning because it operates entirely on the client-side execution plane without requiring server compromise or additional attack vectors. The application's failure to implement proper output encoding means that any special characters present in PDF metadata fields are not properly escaped before being rendered in HTML context.
The operational impact of this vulnerability extends beyond simple XSS exploitation as it provides attackers with a potential foothold for more sophisticated attacks within the application environment. An attacker could leverage this vulnerability to establish persistent access through session hijacking or to exfiltrate sensitive information from authenticated users. The local hosting nature of Stirling-PDF makes this vector particularly dangerous as attackers can craft PDF files that appear legitimate and execute malicious payloads when viewed by unsuspecting users within the organization. This vulnerability undermines the application's security posture by allowing arbitrary code execution in user browsers without requiring authentication or privileged access to the application server itself.
Mitigation strategies should focus on implementing proper output encoding for all user-supplied data rendered in HTML contexts, specifically enforcing HTML entity encoding for Title and Author metadata fields. The fix implemented in version 2.0.0 likely involved sanitizing these metadata fields through appropriate encoding functions that convert special characters into their HTML-safe equivalents. Organizations should also implement Content Security Policy headers to limit the execution of inline scripts and establish proper input validation for PDF files to prevent malicious metadata injection. Additional defensive measures include implementing strict MIME type checking for uploaded files and establishing automated scanning for suspicious metadata patterns within PDF documents to identify potential attack attempts.