CVE-2026-33436 Overview
Stirling-PDF is a locally hosted web application that facilitates various operations on PDF files. A reflected Cross-Site Scripting (XSS) vulnerability exists in versions prior to 2.0.0 where file upload endpoints render user-supplied filenames directly into HTML using unsafe methods like innerHTML without proper sanitization. An attacker can craft a file with a malicious filename containing JavaScript that executes in the uploading user's browser context.
Critical Impact
Attackers can execute arbitrary JavaScript in the context of authenticated users, potentially leading to session hijacking, credential theft, or unauthorized actions within the Stirling-PDF application.
Affected Products
- Stirling-PDF versions prior to 2.0.0
Discovery Timeline
- 2026-04-17 - CVE CVE-2026-33436 published to NVD
- 2026-04-20 - Last updated in NVD database
Technical Details for CVE-2026-33436
Vulnerability Analysis
This vulnerability is classified as Improper Input Validation (CWE-20) and manifests as a reflected Cross-Site Scripting (XSS) attack. The core issue stems from the application's handling of user-supplied filenames during file upload operations. When users upload files, the application takes the filename from the upload request and renders it directly into the HTML response without adequate sanitization or encoding.
The use of unsafe DOM manipulation methods, specifically innerHTML, allows the browser to interpret and execute any JavaScript code embedded within the filename string. This creates an attack surface where crafted filenames containing malicious script tags or event handlers are executed in the context of the user's browser session.
The vulnerability affects numerous upload endpoints across the application, significantly expanding the attack surface. Since Stirling-PDF is a locally hosted application used for PDF manipulation, successful exploitation could provide attackers access to sensitive documents being processed by the victim.
Root Cause
The root cause of this vulnerability is the direct use of innerHTML to render user-controlled filename data into the DOM without proper sanitization. When user input is inserted using innerHTML, the browser parses the content as HTML, allowing embedded script elements or event handlers to execute. Secure alternatives such as textContent or proper input encoding should be used when displaying user-supplied data.
Attack Vector
The attack requires network access and user interaction. An attacker must convince a victim to upload a specially crafted file with a malicious filename. The attack scenario typically involves:
- Attacker creates a file with a filename containing JavaScript payload (e.g., <img src=x onerror=alert(document.cookie)>.pdf)
- Attacker shares this file with the victim through social engineering
- Victim uploads the file to their Stirling-PDF instance
- The malicious filename is rendered unsafely, executing the JavaScript in the victim's browser
- The attacker's script runs with the victim's session privileges
The vulnerability mechanism involves filenames being passed directly to innerHTML in the upload response handling. When the browser parses this content, any embedded HTML tags including script elements are interpreted and executed. For detailed technical information, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-33436
Indicators of Compromise
- Uploaded files with filenames containing HTML tags, script elements, or event handlers such as <script>, <img>, onerror=, or onclick=
- Browser console errors or unexpected JavaScript execution during file upload operations
- Unusual network requests originating from the Stirling-PDF application to external domains
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block filenames containing HTML/JavaScript patterns
- Monitor application logs for file uploads with suspicious characters in filenames (angle brackets, event handlers)
- Deploy Content Security Policy (CSP) headers to restrict inline script execution and mitigate XSS impact
Monitoring Recommendations
- Enable verbose logging on file upload endpoints to capture all filename metadata
- Configure browser-based security monitoring to detect anomalous script execution
- Review upload logs regularly for patterns indicative of XSS payload attempts
How to Mitigate CVE-2026-33436
Immediate Actions Required
- Upgrade Stirling-PDF to version 2.0.0 or later immediately
- If immediate upgrade is not possible, restrict access to the Stirling-PDF instance to trusted users only
- Implement Content Security Policy headers to mitigate the impact of potential XSS attacks
- Educate users about the risks of uploading files from untrusted sources
Patch Information
The vulnerability has been fixed in Stirling-PDF version 2.0.0. Users should upgrade to this version or later to remediate the vulnerability. The fix involves proper sanitization of user-supplied filenames before rendering them in HTML and replacing unsafe innerHTML usage with secure alternatives like textContent. Refer to the GitHub Security Advisory for additional details on the patch.
Workarounds
- Deploy the application behind a reverse proxy with input validation rules that strip or reject filenames containing HTML characters
- Implement client-side filename validation before upload to reject files with suspicious characters
- Configure strict Content Security Policy headers to prevent inline script execution
# Example nginx configuration to add CSP headers
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';" always;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
