{"id":"UBUNTU-CVE-2026-23907","details":"This issue affects the ExtractEmbeddedFiles example inĀ Apache PDFBox: from 2.0.24 through 2.0.35, from 3.0.0 through 3.0.6. The ExtractEmbeddedFiles example contains a path traversal vulnerability (CWE-22) because the filename that is obtained from PDComplexFileSpecification.getFilename() is appended to the extraction path. Users who have copied this example into their production code should review it to ensure that the extraction path is acceptable. The example has been changed accordingly, now the initial path and the extraction paths are converted into canonical paths and it is verified that extraction path contains the initial path. The documentation has also been adjusted.","modified":"2026-05-20T16:24:43.481541293Z","published":"2026-03-10T18:18:00Z","upstream":["CVE-2026-23907"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-23907"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2026-23907"}],"affected":[{"package":{"name":"libpdfbox-java","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/libpdfbox-java?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1:1.8.7+dfsg-1","1:1.8.10-1","1:1.8.10-2","1:1.8.11+dfsg-1"],"ecosystem_specific":{"binaries":[{"binary_name":"libfontbox-java","binary_version":"1:1.8.11+dfsg-1"},{"binary_version":"1:1.8.11+dfsg-1","binary_name":"libjempbox-java"},{"binary_version":"1:1.8.11+dfsg-1","binary_name":"libpdfbox-java"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-23907.json"}},{"package":{"name":"libpdfbox-java","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/libpdfbox-java?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1:1.8.13-1","1:1.8.13-2","1:1.8.16-2~18.04"],"ecosystem_specific":{"binaries":[{"binary_name":"libfontbox-java","binary_version":"1:1.8.16-2~18.04"},{"binary_version":"1:1.8.16-2~18.04","binary_name":"libjempbox-java"},{"binary_version":"1:1.8.16-2~18.04","binary_name":"libpdfbox-java"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-23907.json"}},{"package":{"name":"libpdfbox2-java","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/libpdfbox2-java?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.0.7-1","2.0.8-1","2.0.8-2","2.0.9-1","2.0.13-2~18.04"],"ecosystem_specific":{"binaries":[{"binary_name":"libfontbox2-java","binary_version":"2.0.13-2~18.04"},{"binary_version":"2.0.13-2~18.04","binary_name":"libpdfbox2-java"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-23907.json"}},{"package":{"name":"libpdfbox-java","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/libpdfbox-java?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1:1.8.16-2"],"ecosystem_specific":{"binaries":[{"binary_name":"libfontbox-java","binary_version":"1:1.8.16-2"},{"binary_version":"1:1.8.16-2","binary_name":"libjempbox-java"},{"binary_version":"1:1.8.16-2","binary_name":"libpdfbox-java"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-23907.json"}},{"package":{"name":"libpdfbox2-java","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/libpdfbox2-java?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.0.16-1","2.0.17-1","2.0.18-1"],"ecosystem_specific":{"binaries":[{"binary_name":"libfontbox2-java","binary_version":"2.0.18-1"},{"binary_version":"2.0.18-1","binary_name":"libpdfbox2-java"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-23907.json"}},{"package":{"name":"libpdfbox-java","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/libpdfbox-java?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1:1.8.16-2"],"ecosystem_specific":{"binaries":[{"binary_version":"1:1.8.16-2","binary_name":"libfontbox-java"},{"binary_version":"1:1.8.16-2","binary_name":"libjempbox-java"},{"binary_name":"libpdfbox-java","binary_version":"1:1.8.16-2"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-23907.json"}},{"package":{"name":"libpdfbox2-java","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/libpdfbox2-java?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.0.23-1","2.0.24-2","2.0.25-1"],"ecosystem_specific":{"binaries":[{"binary_version":"2.0.25-1","binary_name":"libfontbox2-java"},{"binary_name":"libpdfbox2-java","binary_version":"2.0.25-1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-23907.json"}},{"package":{"name":"libpdfbox-java","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/libpdfbox-java?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1:1.8.16-4","1:1.8.16-5"],"ecosystem_specific":{"binaries":[{"binary_version":"1:1.8.16-5","binary_name":"libfontbox-java"},{"binary_version":"1:1.8.16-5","binary_name":"libjempbox-java"},{"binary_name":"libpdfbox-java","binary_version":"1:1.8.16-5"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-23907.json"}},{"package":{"name":"libpdfbox2-java","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/libpdfbox2-java?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.0.27-2","2.0.29-1"],"ecosystem_specific":{"binaries":[{"binary_version":"2.0.29-1","binary_name":"libfontbox2-java"},{"binary_name":"libpdfbox2-java","binary_version":"2.0.29-1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-23907.json"}},{"package":{"name":"libpdfbox-java","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/libpdfbox-java?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1:1.8.16-5"],"ecosystem_specific":{"binaries":[{"binary_version":"1:1.8.16-5","binary_name":"libfontbox-java"},{"binary_version":"1:1.8.16-5","binary_name":"libjempbox-java"},{"binary_name":"libpdfbox-java","binary_version":"1:1.8.16-5"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-23907.json"}},{"package":{"name":"libpdfbox2-java","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/libpdfbox2-java?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.0.29-1"],"ecosystem_specific":{"binaries":[{"binary_version":"2.0.29-1","binary_name":"libfontbox2-java"},{"binary_version":"2.0.29-1","binary_name":"libpdfbox2-java"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-23907.json"}},{"package":{"name":"libpdfbox-java","ecosystem":"Ubuntu:26.04:LTS","purl":"pkg:deb/ubuntu/libpdfbox-java?arch=source&distro=resolute"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1:1.8.16-5"],"ecosystem_specific":{"binaries":[{"binary_version":"1:1.8.16-5","binary_name":"libfontbox-java"},{"binary_version":"1:1.8.16-5","binary_name":"libjempbox-java"},{"binary_version":"1:1.8.16-5","binary_name":"libpdfbox-java"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-23907.json"}},{"package":{"name":"libpdfbox2-java","ecosystem":"Ubuntu:26.04:LTS","purl":"pkg:deb/ubuntu/libpdfbox2-java?arch=source&distro=resolute"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.0.29-1"],"ecosystem_specific":{"binaries":[{"binary_version":"2.0.29-1","binary_name":"libfontbox2-java"},{"binary_version":"2.0.29-1","binary_name":"libpdfbox2-java"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-23907.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"type":"Ubuntu","score":"medium"}]}