CVE-2026-34071 Overview
CVE-2026-34071 is a Cross-Site Scripting (XSS) vulnerability affecting Stirling-PDF, a locally hosted web application that enables users to perform various operations on PDF files. The vulnerability exists in the /api/v1/convert/eml/pdf endpoint when the downloadHtml=true parameter is used. This endpoint returns unsanitized HTML from email bodies with a Content-Type: text/html header, allowing malicious JavaScript execution when a user exports an email using the "Download HTML intermediate file" feature.
Critical Impact
An attacker can achieve JavaScript execution in the context of a victim's browser session by sending a malicious email that is subsequently processed through Stirling-PDF's email-to-PDF conversion feature.
Affected Products
- Stirling-PDF version 2.7.3
- Stirling-PDF versions prior to 2.8.0
Discovery Timeline
- 2026-03-26 - CVE-2026-34071 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-34071
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting (XSS). The flaw resides in the email-to-PDF conversion functionality of Stirling-PDF, specifically in how the application handles HTML content extracted from email files.
When a user uploads an EML file and requests the HTML intermediate file through the /api/v1/convert/eml/pdf endpoint with the downloadHtml=true parameter, the application fails to sanitize the HTML content from the email body before returning it to the user's browser. Since the response is served with Content-Type: text/html, any JavaScript embedded in the malicious email is executed in the user's browser context.
The attack requires user interaction—specifically, the victim must process a malicious email through Stirling-PDF and choose to download the HTML intermediate file. This social engineering component is reflected in the required user interaction for successful exploitation.
Root Cause
The root cause of this vulnerability is the absence of proper input sanitization and output encoding when handling email body content. The application directly returns the raw HTML content from parsed EML files without neutralizing potentially dangerous elements such as <script> tags, event handlers (e.g., onclick, onerror), or other XSS vectors. The combination of unsanitized user-controlled content and an HTML content type response creates the conditions necessary for XSS exploitation.
Attack Vector
The attack vector is network-based and requires the following conditions:
- An attacker crafts a malicious email containing JavaScript payloads embedded in the HTML body
- The attacker delivers this email to the victim through standard email delivery mechanisms
- The victim uploads the malicious EML file to their Stirling-PDF instance
- The victim uses the email-to-PDF conversion feature with the "Download HTML intermediate file" option enabled
- The malicious JavaScript executes in the victim's browser when the HTML file is served
The vulnerability can be exploited through various XSS payload techniques embedded in the email body, including script tags, event handlers in HTML attributes, or JavaScript protocol handlers. Since Stirling-PDF is a locally hosted application, successful exploitation could potentially allow an attacker to access local resources or perform actions on behalf of the authenticated user.
Detection Methods for CVE-2026-34071
Indicators of Compromise
- Suspicious API calls to /api/v1/convert/eml/pdf with downloadHtml=true parameter containing unusual payloads
- Presence of EML files with embedded JavaScript or suspicious HTML content in upload directories
- Browser console errors or unexpected script execution when processing email conversions
Detection Strategies
- Monitor web application logs for requests to the vulnerable endpoint with the downloadHtml=true parameter
- Implement Web Application Firewall (WAF) rules to detect common XSS patterns in uploaded EML files
- Review application logs for unusual patterns in email file processing activities
Monitoring Recommendations
- Enable detailed logging for the /api/v1/convert/eml/pdf endpoint to capture request parameters and source IPs
- Set up alerts for high volumes of email-to-PDF conversion requests from single sources
- Monitor for Content Security Policy (CSP) violation reports if CSP headers are implemented
How to Mitigate CVE-2026-34071
Immediate Actions Required
- Upgrade Stirling-PDF to version 2.8.0 or later which contains the security fix for this vulnerability
- If immediate upgrade is not possible, disable or restrict access to the email-to-PDF conversion feature
- Implement network-level access controls to limit who can access the Stirling-PDF instance
- Educate users about the risks of processing untrusted email files
Patch Information
The vulnerability has been addressed in Stirling-PDF version 2.8.0. Users should upgrade to this version or later to remediate the vulnerability. For detailed information about the fix and the security advisory, refer to the GitHub Security Advisory for GHSA-xmhg-fv84-jgfc.
Workarounds
- Restrict access to the Stirling-PDF instance to trusted users only via network segmentation or authentication controls
- Disable the "Download HTML intermediate file" feature if not required for business operations
- Implement a Content Security Policy (CSP) header to mitigate the impact of potential XSS attacks
- Use a reverse proxy with WAF capabilities to filter malicious content in uploaded files
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
