VulnerableCode Package Details - pkg:maven/org.apache.pdfbox/pdfbox-examples@3.0.7

Search for packages

Vulnerability	Summary	Fixed by
VCID-jdm2-sqfm-pbc9 Aliases: CVE-2026-33929 GHSA-gcj8-76p4-g2fq	Apache PDFBox: Apache PDFBox: Arbitrary file write via path traversal in ExtractEmbeddedFiles example	3.0.8 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-jdm2-sqfm-pbc9
Aliases:
CVE-2026-33929
GHSA-gcj8-76p4-g2fq

Apache PDFBox: Apache PDFBox: Arbitrary file write via path traversal in ExtractEmbeddedFiles example

3.0.8
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-3nex-zq6b-57e7	Apache PDFBox has Path Traversal through PDComplexFileSpecification.getFilename() function This issue affects the ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.35, from 3.0.0 through 3.0.6. The ExtractEmbeddedFiles example contains a path traversal vulnerability (CWE-22) because the filename that is obtained from PDComplexFileSpecification.getFilename() is appended to the extraction path. Users who have copied this example into their production code should review it to ensure that the extraction path is acceptable. The example has been changed accordingly, now the initial path and the extraction paths are converted into canonical paths and it is verified that extraction path contains the initial path. The documentation has also been adjusted.	CVE-2026-23907 GHSA-jjwr-xmw6-gf78

Vulnerability

Summary

Aliases

VCID-3nex-zq6b-57e7

Apache PDFBox has Path Traversal through PDComplexFileSpecification.getFilename() function This issue affects the ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.35, from 3.0.0 through 3.0.6. The ExtractEmbeddedFiles example contains a path traversal vulnerability (CWE-22) because the filename that is obtained from PDComplexFileSpecification.getFilename() is appended to the extraction path. Users who have copied this example into their production code should review it to ensure that the extraction path is acceptable. The example has been changed accordingly, now the initial path and the extraction paths are converted into canonical paths and it is verified that extraction path contains the initial path. The documentation has also been adjusted.

CVE-2026-23907
GHSA-jjwr-xmw6-gf78

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-07T20:53:24.339240+00:00	GHSA Importer	Affected by	VCID-jdm2-sqfm-pbc9	https://github.com/advisories/GHSA-gcj8-76p4-g2fq	38.6.0
2026-06-06T07:58:31.376440+00:00	GitLab Importer	Affected by	VCID-jdm2-sqfm-pbc9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.pdfbox/pdfbox-examples/CVE-2026-33929.yml	38.6.0
2026-06-05T22:03:30.191134+00:00	GHSA Importer	Fixing	VCID-3nex-zq6b-57e7	https://github.com/advisories/GHSA-jjwr-xmw6-gf78	38.6.0
2026-06-04T17:00:10.339131+00:00	GithubOSV Importer	Fixing	VCID-3nex-zq6b-57e7	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-jjwr-xmw6-gf78/GHSA-jjwr-xmw6-gf78.json	38.6.0
2026-06-02T04:51:34.970531+00:00	GitLab Importer	Fixing	VCID-3nex-zq6b-57e7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.pdfbox/pdfbox-examples/CVE-2026-23907.yml	38.6.0