Vulnerability-Lookup

SUSE-SU-2026:22088-1

Vulnerability from csaf_suse - Published: 2026-06-08 14:37 - Updated: 2026-06-08 14:37

Summary

Security update for apache-pdfbox

Severity

Moderate

Notes

Title of the patch: Security update for apache-pdfbox

Description of the patch: This update for apache-pdfbox fixes the following issues: Update to version 2.0.36. Security issues fixed: - CVE-2026-33929: path traversal in the `ExtractEmbeddedFiles` example code can lead to arbitrary file writes (bsc#1262046). Other updates and bugfixes: - Version 2.0.36: - XMPBox removes namespaces on serialization - False negative on PDFA-1b validation : missing field type - PlainText.Paragraph.getLines extremely slow on long lines - Valid PDF/A 1B is rejected - Potential StackOverflows in BaseParser - Unknown code in Huffman RLE stream - IllegalArgumentException: Can't add attribute to 0-length text - TTFSubsetter.buildGlyfTable() modifies glyphIds while iterating over its entries possibly causing ConcurrentModificationException to be thrown - IndexOutOfBoundsException in Type1CharStringParser.processCallSubr() - Exception "No type defined for {http://www.aiim.org/pdfa/ns/id/}rev" when trying to determine version of PDF/A-4 document - allow new PDF/A-4 conformance levels - pdfbox-app-X.X.X-sources.jar on maven central are empty (and javadoc jar is missing) - Cmd line docs - IllegalArgumentException: Multiplying two matrices produces illegal values in PDFStreamEngine.processAnnotation() - XmpParsingException: Schema is not set in this document: http://ns.adobe.com/xap/1.0/sType/ResourceEvent# - NullPointerException in FontMapperImpl.getFontMatches() - border style in FDFAnnotation is not initialized if width is 0 - German umlauts are not rendered - Invalid type in Schema not detected when in XML attributes - Serializing produces date "1-01-01T00:00:00+01:00" - Seconds of date "D:2015-02-03T10:11:12" returned as 0 - Confusing naming of "DerivedFrom" property getter in XMPMediaManagementSchema - ClassCastException in XMPMediaManagementSchema.getHistory() - IllegalArgumentException: Input buffer too short in StandardSecurityHandler.computeRC4key() - IllegalArgumentException: Width (0) and height (0) cannot be <= 0 when printing landscape rotated with RASTERIZE_DPI_AUTO - DateConverter fails on valid date - ClassCastException: class org.apache.xmpbox.type.TextType cannot be cast to class org.apache.xmpbox.type.ArrayProperty in DublinCoreSchema.getCreatorsProperty() - tiff:YCbCrSubSampling and tiff:YCbCrPositioning have wrong cardinality - ClassCastException: class org.apache.xmpbox.type.FlashType - Cannot find a definition for the namespace http://www.w3.org/1999/02/22-rdf-syntax-ns#, property: rdf:Description http://ns.adobe.com/xap/1.0/sType/ResourceEvent#, property:stEvt:action - XmpParsingException: Missing pdfaSchema:property in type definition in lenient mode - XmpParsingException: Unknown property value type : Open Choice of Integer - XmpParsingException: Property 'CountryCode' not defined in http://www.epo.org/patent-bibliographic-data/1.0/ - date "0-00-00T00:00:00-04:00" read as "0002-11-30T00:00:00-40:00" - XmpParsingException: Type 'stRef:documentName' not defined in http://ns.adobe.com/xap/1.0/sType/ResourceRef# in lenient mode - Invalid PDF/A namespace definition, prefix: xmlns, namespace: http://www.aiim.org/pdfa/ns/extension/ http://www.aiim.org/pdfa/ns/extension/, property: pdfaExtension:schemas - NegativeArraySizeException in PredictorOutputStream() - NullpointerException in PDAcroForm.getField(Line 485) - OutOfMemoryError when trying to extract text from pdf - Outlines circular reference vulnerability - Rendered text missing - Inverted images due to enlarged decode array - PDF displays garbled characters in Adobe Reader but renders correctly in web browsers - NullPointerException while merging PDFs with output intents - Valid XMP Extension Schema rejected - Remove dead code from PDFMarkedContentExtractor - Include test file in test class - Get and Add PageTextSchema - Remove / deprecate TypeMapping.getAssociatedSchemaObject() - Support Seq / Bag mixup in lenient mode - Parse xmp files in lenient mode that have no processing instructions - deprecate getPDFIdentificationSchema() in favor of getPDFAIdentificationSchema() - Support TIFF-files with FillOrder=2 conversion to PDF - Remove / deprecate unused parts of PDIndexed - modernize rat exclusions - Version 2.0.35: - NegativeArraySizeException with PDF file with huge fonts - Inline image bug with multi-byte newline tokens - fix initial ByteArrayOutputStream size for deflate operation - PDF takes an hour to render - Splitter does not include structure tree in documents past the first split - build fails on jdk11 - Load a TTF font which is from Mac OS throw an exception - Wrong glyphs since PDFBOX-5790 - ClassCastException on broken file in PDEmbeddedFilesNameTreeNode.convertCOSToPD() - invalid XMP generated when Apache Xalan in the classpath - XMP JobType constructor ignores fieldPrefix - NullPointerException in xmpbox serializer if a date is empty - Rendering issue with type 2 shading: vertical expansion - Possible infinite loop in shading code - Potential OOM in XrefStreamParser - Potential StackOverflow in PDFStreamParser - Potential StackOverflow in PDPageTree's getInheritableAttribute - Potential OOM in Type1Lexer - Potential OOM in PfbParser - PDMarkedContentReference.setMCID() should not accept negative numbers - IllegalPathStateException: missing initial moveto in path definition - Fix possible ClassCastException - NullPointerException in COSDictionary - StringIndexOutOfBoundsException in PlainText$Paragraph.getLines() - LZWFilter crashes, probably not handling the KwKwK special case - NullPointerException in PDNumberTreeNode.getNumbers() - UnsupportedOperationException: JPX color spaces don't support drawing - Signing tries to set byteRange of old signature (2) - ClassCastException in PDOptionalContentProperties.getBaseState() - Add test for embedded files - set size for ByteArrayOutputStreams - avoid creation of temporary objects when parsing hex values - avoid unnecessary map lokups - remove unnecessary iteration and StringBuilder creation - Support reverse landscape orientation for printing - Add test coverage for orphan annotation - Remove orphan popup parent annotation - Improve XmpSerializer test by verifying its output - Consider rotation of page when applying overlay - Preserve Perms dictionary when signing - Check /ParentTree against /K tree - Add test for 5521 - Refactor RC4Cipher - Regression tests for 2.0.35 - Version 2.0.34: - PageDrawer is not rendering unrotatable Annotations on rotated pages - Zero-width non-joiner characters visible in generated PDF - Surrogate pairs with combining diacritics are incorrectly ordered on text extraction - TestCreateSignature.testCreateSignedTimeStamp checkLTV build test fail (2) / Support several issuers - IllegalArgumentException: Width (0) and height (0) must be non-zero - Merge docs with specific characteristics causes stack overflow - InvalidKeyException: Supplied key (sun.security.ec.ECPrivateKeyImpl) is not a RSAPrivateKey - Can't read the embedded Type1 font: Found Token[kind=NAME,text=def] but expected begin - Wrong size entry in trailer after incremental save - FileSystemFontProvider doesn't register failed type1 fonts - Text annotation crosshair symbol too small when using Adobe symbol font - Orphan /OpenAction destination page kept in merge - PDFRenderer causes endless loop - Invalid stream length: 0, stream start position: <xxx> - Inline image incorrectly parsed (2) - IllegalArgumentException: Not a valid Unicode code point: 0xE28496 - Type 3 font glyphs not displayed - Rendered PDF is missing shading pattern graphics - NPE during merge - Class cast exception in building PDDestinationNameTreeNode - DomXmpParser incorrectly expects namespaces on attribute level - BDC processor mishandles property name - Can't render some Type1C fonts. - PDF to Image conversion results in a blank white page - Implement PDFormXObject.setGroup() - CertificateVerifier.isSelfSigned() should not throw an exception - Use Zapf Dingbats code for cross text annotation - Support PushPin, Tag and Graph file attachment annotation icons - Improve PDFMergerUtility memory footprint - Support rare RC4 encryption where R=4, key length < 128 bits - Improve checkWithNumberTree() test - Use SHA256 instead of MD5 for document id - Version 2.0.33: - Character positions shifted - Incorrectly extracted text (broken words) - Wrong color of uncolored tiling pattern - OutOfMemoryError - during renderImageWithDPI - BaseParser fails when a number is followed by a string starting with 'e' - Type3 font is not rendered - Flattening removes all annotations when widget annotation has no page - Image lost on page render - extra whitespaces when extracting Arabic text - SMaskInData not supported for JPX images - Kid Widget /DA is ignored in setDefaultAppearance() call - Radio button can't be set - the PDDocument.documentId does not seem to be written into the flat byteStream - PDFBox is unable to remove ID - Fix last step of the build process - StringIndexOutOfBoundsException in AppearanceGeneratorHelper - ClassCastException in SetLineJoinStyle.process() - Unable to load password protected pdf - PDFBox not extracting text of non-latin languages(tamil, bengali) properly but adobe reader's save as text does - Checkstyle - [PATCH] Detect CMYK image without relying on metadata - Regression from PDFBOX-5841: Text extraction with rotation magic fails for PDF with multiple content streams in a page - PDF render blank page: The end of the stream doesn't point to the correct offset, using workaround to read the stream, stream start position: 196, length: 0, expected end position: 196 - CVE for Lucene libraries - The pattern created with PDFBox shows inconsistent colors between Safari and Adobe. - BDC sequence with resource reference instead of with MCID - StackOverflowError in PDFieldFactory.findFieldType - ClassCastException in AnnotationValidator - The CPU usage of a PDF file with a size of 85.6 MB is abnormal - Many ZapfDingbats symbols do not appear when page is rendered. - IOException when reading isolated "+" - IllegalArgumentException: capacity < 0: (-75475220 < 0) in RandomAccessReadBuffer constructor - FontBox spawns a `cmd` subprocess to read an environment variable (on Windows) - Implement PDF 2.0 dash phase clarification (2) - Particular PDF fails on renderImageWithDPI call - PDType0Font return invalid space width - Icons of text annotations sometimes too large - Orphan page check doesn't check annotation destinations - NPE in COSArray.indexOfObject - NPE in PagePane.mouseMoved() - ArrayIndexOutOfBoundsException in CMap.toInt() - Show ASN.1 decoded Contents for Signature-Dictionary - Exchange hard-coded values for variables and provide command-line options in TextToPDF component - Long rendering time of fonts in a specific PDF - Support imageio-jnr / imageio-openjpeg library for JPEG2000 decoding - Improve ExtractTTFFonts - Change Loglevel from Warn to info when rebuilding font cache - Support OCG visibility expressions - Add page getter/setter to PDObjectReference - Support long values for COSInteger objects - Empty constructor for PDViewerPreferences - Add check of /P to PDFMergerUtilityTest - support Markdown extraction from the command line - Calculate dpi dynamically when printing with raster - Remove orphan annotations in structure tree - Add font name to PrintTextLocations - Improve detection whether printing or viewing - Hi CPU and memory usage when converting a PDF with type 4 shading - 2.0 builds fail on jenkins because jdk11 no longer supported - Version 2.0.32: - preflight-app fails on Java 11+ with NoClassDefFoundError: javax/activation/DataSource - AppearanceGeneratorHelper assumes fontscale 1000 - Remove release subproject - Don't use a predefined CMap if a ToUnicode CMap is present - Regression NPE in Splitter - The content of the specified font is lost, Google Chrome can display it - Crash for Softmask with incorrect backdrop color components - Observable Timing Discrepancy (Timing Attack) - Black rectangle over image - Wrong font substitution for Wingdings - PDDocument#importPage slowed down by factor 1300 - Split aborts with broken destinations - IllegalArgumentException: Parameter must be 1-based, but is 0 when using PDFTextStripperByArea - Files created with PDFMergerExample are not correct PDF/A - Missing /Subtype and /Type in Metadata not detected - Multiple exceptions coming from org.apache.fontbox.ttf for different PDFs - IOException: Error expected floating point numberactual='-12.-1' - NullPointerException: Cannot invoke "String.codePointAt(int)" because "uni" is null - DomXmpParser - IllegalArgumentException: prefix cannot be "null" when creating a QName - ClassCastException: org.apache.pdfbox.cos.COSNull cannot be cast to org.apache.pdfbox.cos.COSDictionary - IllegalArgumentException: Width (26) and height (0) must be non-zero - There is an exception when getting embedded font, is it compatible? - Infinite loop after splitting and saving PDF / giant result files - JPEGFactory. Reduce logging severity when no image metadata is present - Add test for surrogate pair character ð© ̧1⁄2 - Update unicode Scripts.txt - Include a PDFA check with VeraPDF for CreatePDFATest - Add center constructor parameter to PDFPageable and to pdfbox-app - When splitting, keep named page destinations that are part of target document(s) - When this PDF is rendered with the "f" Operator, a black screen appears. - Investigate why we get "response contains wrong nonce value" during build tests - Version 2.0.31: - [PATCH] Split pdf lose accessibility tags - Allow creating of PDFXObjectImage without accessing to the image stream - PfbParser fails to parse PFB font with multiple binary records. - Lines vanish when printing on MacOS - java.lang.IllegalArgumentException: Provided dictionary is not of type 'COSName{OCG}' - The embedded font DroidSansFallbackFull reports an error when parsing, and finally uses lastResortFont, resulting in garbled fonts. - COSName caches already cached hashCode - Font operation takes a long time with 3.0.1 - NullPointerException in TTFSubsetter.buildPostTable() - Problem converting PDF to image (java.awt.color.CMMException: Can not access specified profile) - Set the default value for PDNonTerminalField - java.lang.ArrayIndexOutOfBoundsException Bug Report - Wrong colors in PDF since PDFBOX-5488 - Java 7 support on 2.0 - Convert to image exception - PDF conversion in this format is very slow. Is there any room for optimization? - IllegalArgumentException: -Infinity is not a finite number - Inconsistent signature page handling when signing in existing signature fields - Add leading "0" for octal values in MacOSRomanEncoding - DataFormatException: invalid distance too far back - Grayscale JPEG rendered multicolor - OutOfMemoryError in FileSystemFontsProvider.scanFonts - NPE in PageDrawer.getPaint() - Issue with embedded Font and descendant Font - LCMS error 13: Mismatched alpha channels - Enable Native Markdown Extraction in Apache PDFBox - When splitting, keep page destinations that are part of target document(s) - Replace Exception with some repair attempt - Version 2.0.30: - Regression unicode mapping in Korean document - Operators "q" and "Q" should also preserve text matrices - Signature Image not Rendered starting with PDFBox 2.0.23 - Fonts are not subsetted when saving incrementally - Bug in PDFMergerUtility#mergeFields - Password protected PDF opens in GUI apps but PDFbox says invalid password - Wrong error message "2.4.1 : Invalid Color space, The operator "rg" can't be used with CMYK Profile" - Make FDF annotations more compliant with the specification - NPE in DomXmpParser.parseLiDescription - Regression: NoSuchElementException in PDFXrefStreamParser - The PageDrawer.strokePath method is blocked, and cpu100% - Avoid NPE when processing CFF2 based fonts - IllegalArgumentException: Dimensions (width=458477041 height=26) are too large - Can not see checkbox check - NPE when converting pdf to image. - NullPointerException in XMPMetadata.getSchema() - PDFToImage might not correctly detect unsupported image formats - Font cache isn't effective on my machine, always rebuilds - PDF to Image conversion results in different converted image - Text in a certain font is lost when converting pdf to image - Incorrect colors in image from PDFs (DCTDecode) - Inconsistent/incomplete PDF rendering - Improve code quality (4) - Add PDRectangle#TABLOID paper size - Support version 0.5 of MaximumProfileTable - loca-table isn't mandatory for TTF/OTF-fonts using CFF outlines - Implement PDF 2.0 dash phase clarification - Add getter and setter for the CO array under PDAcroForm - Make UTC timezone static - Facilitate migration to PDFBox 3.0 - Consolidate bouncycastle configuration - Consistent scm.url values for pom.xml - use comparison operators for enums

Patchnames: SUSE-SLES-16.0-905

CVE-2026-3392

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: SUSE Linux Enterprise Server 16.0:apache-pdfbox-2.0.36-160000.1.1.noarch	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 16.0:apache-pdfbox-javadoc-2.0.36-160000.1.1.noarch	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:apache-pdfbox-2.0.36-160000.1.1.noarch	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:apache-pdfbox-javadoc-2.0.36-160000.1.1.noarch	—	Vendor Fix

Threats

Impact moderate

CVE-2026-33929

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: SUSE Linux Enterprise Server 16.0:apache-pdfbox-2.0.36-160000.1.1.noarch	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 16.0:apache-pdfbox-javadoc-2.0.36-160000.1.1.noarch	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:apache-pdfbox-2.0.36-160000.1.1.noarch	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:apache-pdfbox-javadoc-2.0.36-160000.1.1.noarch	—	Vendor Fix

Threats

Impact moderate

References

10 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/s…	self
https://www.suse.com/support/update/announcement/…	self
https://lists.suse.com/pipermail/sle-updates/2026…	self
https://bugzilla.suse.com/1262046	self
https://www.suse.com/security/cve/CVE-2026-3392/	self
https://www.suse.com/security/cve/CVE-2026-33929/	self
https://www.suse.com/security/cve/CVE-2026-3392	external
https://www.suse.com/security/cve/CVE-2026-33929	external
https://bugzilla.suse.com/1262046	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for apache-pdfbox",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for apache-pdfbox fixes the following issues:\n\nUpdate to version 2.0.36.\n\nSecurity issues fixed:\n\n- CVE-2026-33929: path traversal in the `ExtractEmbeddedFiles` example code can lead to arbitrary file writes\n  (bsc#1262046).\n\nOther updates and bugfixes:\n\n- Version 2.0.36:\n  - XMPBox removes namespaces on serialization\n  - False negative on PDFA-1b validation : missing field type\n  - PlainText.Paragraph.getLines extremely slow on long lines\n  - Valid PDF/A 1B is rejected\n  - Potential StackOverflows in BaseParser\n  - Unknown code in Huffman RLE stream\n  - IllegalArgumentException: Can\u0027t add attribute to 0-length text\n  - TTFSubsetter.buildGlyfTable() modifies glyphIds while iterating over its entries possibly causing\n    ConcurrentModificationException to be thrown\n  - IndexOutOfBoundsException in Type1CharStringParser.processCallSubr()\n  - Exception \"No type defined for {http://www.aiim.org/pdfa/ns/id/}rev\" when trying to determine version of PDF/A-4\n    document\n  - allow new PDF/A-4 conformance levels\n  - pdfbox-app-X.X.X-sources.jar on maven central are empty (and javadoc jar is missing)\n  - Cmd line docs\n  - IllegalArgumentException: Multiplying two matrices produces illegal values in PDFStreamEngine.processAnnotation()\n  - XmpParsingException: Schema is not set in this document: http://ns.adobe.com/xap/1.0/sType/ResourceEvent#\n  - NullPointerException in FontMapperImpl.getFontMatches()\n  - border style in FDFAnnotation is not initialized if width is 0\n  - German umlauts are not rendered\n  - Invalid type in Schema not detected when in XML attributes\n  - Serializing produces date \"1-01-01T00:00:00+01:00\"\n  - Seconds of date \"D:2015-02-03T10:11:12\" returned as 0\n  - Confusing naming of \"DerivedFrom\" property getter in XMPMediaManagementSchema\n  - ClassCastException in XMPMediaManagementSchema.getHistory()\n  - IllegalArgumentException: Input buffer too short in StandardSecurityHandler.computeRC4key()\n  - IllegalArgumentException: Width (0) and height (0) cannot be \u003c= 0 when printing landscape rotated with\n    RASTERIZE_DPI_AUTO\n  - DateConverter fails on valid date\n  - ClassCastException: class org.apache.xmpbox.type.TextType cannot be cast to class\n    org.apache.xmpbox.type.ArrayProperty in DublinCoreSchema.getCreatorsProperty()\n  - tiff:YCbCrSubSampling and tiff:YCbCrPositioning have wrong cardinality\n  - ClassCastException: class org.apache.xmpbox.type.FlashType\n  - Cannot find a definition for the namespace http://www.w3.org/1999/02/22-rdf-syntax-ns#, property:\n    rdf:Description http://ns.adobe.com/xap/1.0/sType/ResourceEvent#, property:stEvt:action\n  - XmpParsingException: Missing pdfaSchema:property in type definition in lenient mode\n  - XmpParsingException: Unknown property value type : Open Choice of Integer\n  - XmpParsingException: Property \u0027CountryCode\u0027 not defined in http://www.epo.org/patent-bibliographic-data/1.0/\n  - date \"0-00-00T00:00:00-04:00\" read as \"0002-11-30T00:00:00-40:00\"\n  - XmpParsingException: Type \u0027stRef:documentName\u0027 not defined in http://ns.adobe.com/xap/1.0/sType/ResourceRef# in\n    lenient mode\n  - Invalid PDF/A namespace definition, prefix: xmlns, namespace: http://www.aiim.org/pdfa/ns/extension/\n    http://www.aiim.org/pdfa/ns/extension/, property: pdfaExtension:schemas\n  - NegativeArraySizeException in PredictorOutputStream()\n  - NullpointerException in PDAcroForm.getField(Line 485)\n  - OutOfMemoryError when trying to extract text from pdf\n  - Outlines circular reference vulnerability\n  - Rendered text missing\n  - Inverted images due to enlarged decode array\n  - PDF displays garbled characters in Adobe Reader but renders correctly in web browsers\n  - NullPointerException while merging PDFs with output intents\n  - Valid XMP Extension Schema rejected\n  - Remove dead code from PDFMarkedContentExtractor\n  - Include test file in test class\n  - Get and Add PageTextSchema\n  - Remove / deprecate TypeMapping.getAssociatedSchemaObject()\n  - Support Seq / Bag mixup in lenient mode\n  - Parse xmp files in lenient mode that have no processing instructions\n  - deprecate getPDFIdentificationSchema() in favor of getPDFAIdentificationSchema()\n  - Support TIFF-files with FillOrder=2 conversion to PDF\n  - Remove / deprecate unused parts of PDIndexed\n  - modernize rat exclusions\n- Version 2.0.35:\n  - NegativeArraySizeException with PDF file with huge fonts\n  - Inline image bug with multi-byte newline tokens\n  - fix initial ByteArrayOutputStream size for deflate operation\n  - PDF takes an hour to render\n  - Splitter does not include structure tree in documents past the first split\n  - build fails on jdk11\n  - Load a TTF font which is from Mac OS throw an exception\n  - Wrong glyphs since PDFBOX-5790\n  - ClassCastException on broken file in PDEmbeddedFilesNameTreeNode.convertCOSToPD()\n  - invalid XMP generated when Apache Xalan in the classpath\n  - XMP JobType constructor ignores fieldPrefix\n  - NullPointerException in xmpbox serializer if a date is empty\n  - Rendering issue with type 2 shading: vertical expansion\n  - Possible infinite loop in shading code\n  - Potential OOM in XrefStreamParser\n  - Potential StackOverflow in PDFStreamParser\n  - Potential StackOverflow in PDPageTree\u0027s getInheritableAttribute\n  - Potential OOM in Type1Lexer\n  - Potential OOM in PfbParser\n  - PDMarkedContentReference.setMCID() should not accept negative numbers\n  - IllegalPathStateException: missing initial moveto in path definition\n  - Fix possible ClassCastException\n  - NullPointerException in COSDictionary\n  - StringIndexOutOfBoundsException in PlainText$Paragraph.getLines()\n  - LZWFilter crashes, probably not handling the KwKwK special case\n  - NullPointerException in PDNumberTreeNode.getNumbers()\n  - UnsupportedOperationException: JPX color spaces don\u0027t support drawing\n  - Signing tries to set byteRange of old signature (2)\n  - ClassCastException in PDOptionalContentProperties.getBaseState()\n  - Add test for embedded files\n  - set size for ByteArrayOutputStreams\n  - avoid creation of temporary objects when parsing hex values\n  - avoid unnecessary map lokups\n  - remove unnecessary iteration and StringBuilder creation\n  - Support reverse landscape orientation for printing\n  - Add test coverage for orphan annotation\n  - Remove orphan popup parent annotation\n  - Improve XmpSerializer test by verifying its output\n  - Consider rotation of page when applying overlay\n  - Preserve Perms dictionary when signing\n  - Check /ParentTree against /K tree\n  - Add test for 5521\n  - Refactor RC4Cipher\n  - Regression tests for 2.0.35\n- Version 2.0.34:\n  - PageDrawer is not rendering unrotatable Annotations on rotated pages\n  - Zero-width non-joiner characters visible in generated PDF\n  - Surrogate pairs with combining diacritics are incorrectly ordered on text extraction\n  - TestCreateSignature.testCreateSignedTimeStamp checkLTV build test fail (2) / Support several issuers\n  - IllegalArgumentException: Width (0) and height (0) must be non-zero\n  - Merge docs with specific characteristics causes stack overflow - InvalidKeyException: Supplied key\n   (sun.security.ec.ECPrivateKeyImpl) is not a RSAPrivateKey\n  - Can\u0027t read the embedded Type1 font: Found Token[kind=NAME,text=def] but expected begin\n  - Wrong size entry in trailer after incremental save\n  - FileSystemFontProvider doesn\u0027t register failed type1 fonts\n  - Text annotation crosshair symbol too small when using Adobe symbol font\n  - Orphan /OpenAction destination page kept in merge\n  - PDFRenderer causes endless loop\n  - Invalid stream length: 0, stream start position: \u003cxxx\u003e\n  - Inline image incorrectly parsed (2)\n  - IllegalArgumentException: Not a valid Unicode code point: 0xE28496\n  - Type 3 font glyphs not displayed\n  - Rendered PDF is missing shading pattern graphics\n  - NPE during merge\n  - Class cast exception in building PDDestinationNameTreeNode\n  - DomXmpParser incorrectly expects namespaces on attribute level\n  - BDC processor mishandles property name\n  - Can\u0027t render some Type1C fonts.\n  - PDF to Image conversion results in a blank white page\n  - Implement PDFormXObject.setGroup()\n  - CertificateVerifier.isSelfSigned() should not throw an exception\n  - Use Zapf Dingbats code for cross text annotation\n  - Support PushPin, Tag and Graph file attachment annotation icons\n  - Improve PDFMergerUtility memory footprint\n  - Support rare RC4 encryption where R=4, key length \u003c 128 bits\n  - Improve checkWithNumberTree() test\n  - Use SHA256 instead of MD5 for document id\n- Version 2.0.33:\n  - Character positions shifted\n  - Incorrectly extracted text (broken words)\n  - Wrong color of uncolored tiling pattern\n  - OutOfMemoryError - during renderImageWithDPI\n  - BaseParser fails when a number is followed by a string starting with \u0027e\u0027\n  - Type3 font is not rendered\n  - Flattening removes all annotations when widget annotation has no page\n  - Image lost on page render\n  - extra whitespaces when extracting Arabic text\n  - SMaskInData not supported for JPX images\n  - Kid Widget /DA is ignored in setDefaultAppearance() call\n  - Radio button can\u0027t be set\n  - the PDDocument.documentId does not seem to be written into the flat byteStream\n  - PDFBox is unable to remove ID\n  - Fix last step of the build process\n  - StringIndexOutOfBoundsException in AppearanceGeneratorHelper\n  - ClassCastException in SetLineJoinStyle.process()\n  - Unable to load password protected pdf\n  - PDFBox not extracting text of non-latin languages(tamil, bengali) properly but adobe reader\u0027s save as text does\n  - Checkstyle\n  - [PATCH] Detect CMYK image without relying on metadata\n  - Regression from PDFBOX-5841: Text extraction with rotation magic fails for PDF with multiple content streams in a\n    page\n  - PDF render blank page: The end of the stream doesn\u0027t point to the correct offset, using workaround to read the\n    stream, stream start position: 196, length: 0, expected end position: 196\n  - CVE for Lucene libraries\n  - The pattern created with PDFBox shows inconsistent colors between Safari and Adobe.\n  - BDC sequence with resource reference instead of with MCID\n  - StackOverflowError in PDFieldFactory.findFieldType\n  - ClassCastException in AnnotationValidator\n  - The CPU usage of a PDF file with a size of 85.6 MB is abnormal\n  - Many ZapfDingbats symbols do not appear when page is rendered.\n  - IOException when reading isolated \"+\"\n  - IllegalArgumentException: capacity \u003c 0: (-75475220 \u003c 0) in RandomAccessReadBuffer constructor\n  - FontBox spawns a `cmd` subprocess to read an environment variable (on Windows)\n  - Implement PDF 2.0 dash phase clarification (2)\n  - Particular PDF fails on renderImageWithDPI call\n  - PDType0Font return invalid space width\n  - Icons of text annotations sometimes too large\n  - Orphan page check doesn\u0027t check annotation destinations\n  - NPE in COSArray.indexOfObject\n  - NPE in PagePane.mouseMoved()\n  - ArrayIndexOutOfBoundsException in CMap.toInt()\n  - Show ASN.1 decoded Contents for Signature-Dictionary\n  - Exchange hard-coded values for variables and provide command-line options in TextToPDF component\n  - Long rendering time of fonts in a specific PDF\n  - Support imageio-jnr / imageio-openjpeg library for JPEG2000 decoding\n  - Improve ExtractTTFFonts\n  - Change Loglevel from Warn to info when rebuilding font cache\n  - Support OCG visibility expressions\n  - Add page getter/setter to PDObjectReference\n  - Support long values for COSInteger objects\n  - Empty constructor for PDViewerPreferences\n  - Add check of /P to PDFMergerUtilityTest\n  - support Markdown extraction from the command line\n  - Calculate dpi dynamically when printing with raster\n  - Remove orphan annotations in structure tree\n  - Add font name to PrintTextLocations\n  - Improve detection whether printing or viewing\n  - Hi CPU and memory usage when converting a PDF with type 4 shading\n  - 2.0 builds fail on jenkins because jdk11 no longer supported\n- Version 2.0.32:\n  - preflight-app fails on Java 11+ with NoClassDefFoundError: javax/activation/DataSource\n  - AppearanceGeneratorHelper assumes fontscale 1000\n  - Remove release subproject\n  - Don\u0027t use a predefined CMap if a ToUnicode CMap is present\n  - Regression NPE in Splitter\n  - The content of the specified font is lost, Google Chrome can display it\n  - Crash for Softmask with incorrect backdrop color components\n  - Observable Timing Discrepancy (Timing Attack)\n  - Black rectangle over image\n  - Wrong font substitution for Wingdings\n  - PDDocument#importPage slowed down by factor 1300\n  - Split aborts with broken destinations\n  - IllegalArgumentException: Parameter must be 1-based, but is 0 when using PDFTextStripperByArea\n  - Files created with PDFMergerExample are not correct PDF/A\n  - Missing /Subtype and /Type in Metadata not detected\n  - Multiple exceptions coming from org.apache.fontbox.ttf for different PDFs\n  - IOException: Error expected floating point numberactual=\u0027-12.-1\u0027\n  - NullPointerException: Cannot invoke \"String.codePointAt(int)\" because \"uni\" is null\n  - DomXmpParser - IllegalArgumentException: prefix cannot be \"null\" when creating a QName\n  - ClassCastException: org.apache.pdfbox.cos.COSNull cannot be cast to org.apache.pdfbox.cos.COSDictionary\n  - IllegalArgumentException: Width (26) and height (0) must be non-zero\n  - There is an exception when getting embedded font, is it compatible?\n  - Infinite loop after splitting and saving PDF / giant result files\n  - JPEGFactory. Reduce logging severity when no image metadata is present\n  - Add test for surrogate pair character \u00f0\u00a9 \u03271\u20442\n  - Update unicode Scripts.txt\n  - Include a PDFA check with VeraPDF for CreatePDFATest\n  - Add center constructor parameter to PDFPageable and to pdfbox-app\n  - When splitting, keep named page destinations that are part of target document(s)\n  - When this PDF is rendered with the \"f\" Operator, a black screen appears.\n  - Investigate why we get \"response contains wrong nonce value\" during build tests\n- Version 2.0.31:\n  - [PATCH] Split pdf lose accessibility tags\n  - Allow creating of PDFXObjectImage without accessing to the image stream\n  - PfbParser fails to parse PFB font with multiple binary records.\n  - Lines vanish when printing on MacOS\n  - java.lang.IllegalArgumentException: Provided dictionary is not of type \u0027COSName{OCG}\u0027\n  - The embedded font DroidSansFallbackFull reports an error when parsing, and finally uses lastResortFont, resulting in\n    garbled fonts.\n  - COSName caches already cached hashCode\n  - Font operation takes a long time with 3.0.1\n  - NullPointerException in TTFSubsetter.buildPostTable()\n  - Problem converting PDF to image (java.awt.color.CMMException: Can not access specified profile)\n  - Set the default value for PDNonTerminalField\n  - java.lang.ArrayIndexOutOfBoundsException Bug Report\n  - Wrong colors in PDF since PDFBOX-5488\n  - Java 7 support on 2.0\n  - Convert to image exception\n  - PDF conversion in this format is very slow. Is there any room for optimization?\n  - IllegalArgumentException: -Infinity is not a finite number\n  - Inconsistent signature page handling when signing in existing  signature fields\n  - Add leading \"0\" for octal values in MacOSRomanEncoding\n  - DataFormatException: invalid distance too far back\n  - Grayscale JPEG rendered multicolor\n  - OutOfMemoryError in FileSystemFontsProvider.scanFonts\n  - NPE in PageDrawer.getPaint()\n  - Issue with embedded Font and descendant Font\n  - LCMS error 13: Mismatched alpha channels\n  - Enable Native Markdown Extraction in Apache PDFBox\n  - When splitting, keep page destinations that are part of target document(s)\n  - Replace Exception with some repair attempt\n- Version 2.0.30:\n  - Regression unicode mapping in Korean document\n  - Operators \"q\" and \"Q\" should also preserve text matrices\n  - Signature Image not Rendered starting with PDFBox 2.0.23\n  - Fonts are not subsetted when saving incrementally\n  - Bug in PDFMergerUtility#mergeFields\n  - Password protected PDF opens in GUI apps but PDFbox says invalid password\n  - Wrong error message \"2.4.1 : Invalid Color space, The operator \"rg\" can\u0027t be used with CMYK Profile\"\n  - Make FDF annotations more compliant with the specification\n  - NPE in DomXmpParser.parseLiDescription\n  - Regression: NoSuchElementException in PDFXrefStreamParser\n  - The PageDrawer.strokePath method is blocked, and cpu100%\n  - Avoid NPE when processing CFF2 based fonts\n  - IllegalArgumentException: Dimensions (width=458477041 height=26) are too large\n  - Can not see checkbox check\n  - NPE when converting pdf to image.\n  - NullPointerException in XMPMetadata.getSchema()\n  - PDFToImage might not correctly detect unsupported image formats\n  - Font cache isn\u0027t effective on my machine, always rebuilds\n  - PDF to Image conversion results in different converted image\n  - Text in a certain font is lost when converting pdf to image\n  - Incorrect colors in image from PDFs (DCTDecode)\n  - Inconsistent/incomplete PDF rendering\n  - Improve code quality (4)\n  - Add PDRectangle#TABLOID paper size\n  - Support version 0.5 of MaximumProfileTable\n  - loca-table isn\u0027t mandatory for TTF/OTF-fonts using CFF outlines\n  - Implement PDF 2.0 dash phase clarification\n  - Add getter and setter for the CO array under PDAcroForm\n  - Make UTC timezone static\n  - Facilitate migration to PDFBox 3.0\n  - Consolidate bouncycastle configuration\n  - Consistent scm.url values for pom.xml\n  - use comparison operators for enums\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-SLES-16.0-905",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_22088-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2026:22088-1",
        "url": "https://www.suse.com/support/update/announcement/2026/suse-su-202622088-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2026:22088-1",
        "url": "https://lists.suse.com/pipermail/sle-updates/2026-June/047309.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1262046",
        "url": "https://bugzilla.suse.com/1262046"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-3392 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-3392/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-33929 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-33929/"
      }
    ],
    "title": "Security update for apache-pdfbox",
    "tracking": {
      "current_release_date": "2026-06-08T14:37:26Z",
      "generator": {
        "date": "2026-06-08T14:37:26Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2026:22088-1",
      "initial_release_date": "2026-06-08T14:37:26Z",
      "revision_history": [
        {
          "date": "2026-06-08T14:37:26Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "apache-pdfbox-2.0.36-160000.1.1.noarch",
                "product": {
                  "name": "apache-pdfbox-2.0.36-160000.1.1.noarch",
                  "product_id": "apache-pdfbox-2.0.36-160000.1.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "apache-pdfbox-javadoc-2.0.36-160000.1.1.noarch",
                "product": {
                  "name": "apache-pdfbox-javadoc-2.0.36-160000.1.1.noarch",
                  "product_id": "apache-pdfbox-javadoc-2.0.36-160000.1.1.noarch"
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server 16.0",
                "product": {
                  "name": "SUSE Linux Enterprise Server 16.0",
                  "product_id": "SUSE Linux Enterprise Server 16.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles:16:16.0:server"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server for SAP applications 16.0",
                "product": {
                  "name": "SUSE Linux Enterprise Server for SAP applications 16.0",
                  "product_id": "SUSE Linux Enterprise Server for SAP applications 16.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles:16:16.0:server-sap"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache-pdfbox-2.0.36-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
          "product_id": "SUSE Linux Enterprise Server 16.0:apache-pdfbox-2.0.36-160000.1.1.noarch"
        },
        "product_reference": "apache-pdfbox-2.0.36-160000.1.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache-pdfbox-javadoc-2.0.36-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
          "product_id": "SUSE Linux Enterprise Server 16.0:apache-pdfbox-javadoc-2.0.36-160000.1.1.noarch"
        },
        "product_reference": "apache-pdfbox-javadoc-2.0.36-160000.1.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache-pdfbox-2.0.36-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
          "product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:apache-pdfbox-2.0.36-160000.1.1.noarch"
        },
        "product_reference": "apache-pdfbox-2.0.36-160000.1.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache-pdfbox-javadoc-2.0.36-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
          "product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:apache-pdfbox-javadoc-2.0.36-160000.1.1.noarch"
        },
        "product_reference": "apache-pdfbox-javadoc-2.0.36-160000.1.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-3392",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-3392"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A weakness has been identified in FascinatedBox lily up to 2.3. The affected element is the function eval_tree of the file src/lily_emitter.c. This manipulation causes null pointer dereference. The attack is restricted to local execution. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Server 16.0:apache-pdfbox-2.0.36-160000.1.1.noarch",
          "SUSE Linux Enterprise Server 16.0:apache-pdfbox-javadoc-2.0.36-160000.1.1.noarch",
          "SUSE Linux Enterprise Server for SAP applications 16.0:apache-pdfbox-2.0.36-160000.1.1.noarch",
          "SUSE Linux Enterprise Server for SAP applications 16.0:apache-pdfbox-javadoc-2.0.36-160000.1.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-3392",
          "url": "https://www.suse.com/security/cve/CVE-2026-3392"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Server 16.0:apache-pdfbox-2.0.36-160000.1.1.noarch",
            "SUSE Linux Enterprise Server 16.0:apache-pdfbox-javadoc-2.0.36-160000.1.1.noarch",
            "SUSE Linux Enterprise Server for SAP applications 16.0:apache-pdfbox-2.0.36-160000.1.1.noarch",
            "SUSE Linux Enterprise Server for SAP applications 16.0:apache-pdfbox-javadoc-2.0.36-160000.1.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Server 16.0:apache-pdfbox-2.0.36-160000.1.1.noarch",
            "SUSE Linux Enterprise Server 16.0:apache-pdfbox-javadoc-2.0.36-160000.1.1.noarch",
            "SUSE Linux Enterprise Server for SAP applications 16.0:apache-pdfbox-2.0.36-160000.1.1.noarch",
            "SUSE Linux Enterprise Server for SAP applications 16.0:apache-pdfbox-javadoc-2.0.36-160000.1.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-06-08T14:37:26Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-3392"
    },
    {
      "cve": "CVE-2026-33929",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-33929"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in Apache PDFBox Examples.\n\nThis issue affects the \nExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.36, from 3.0.0 through 3.0.7.\n\n\nUsers are recommended to update to version 2.0.37 or 3.0.8 once \navailable. Until then, they should apply the fix provided in GitHub PR \n427.\n\nThe ExtractEmbeddedFiles example contained a path traversal vulnerability (CWE-22) mentioned in CVE-2026-23907. However the change in the releases 2.0.36 and 3.0.7 is flawed because it doesn\u0027t consider the file path separator. Because of that, a user having writing rights on /home/ABC could be victim to a malicious PDF resulting in a write attempt to any path starting with  /home/ABC, e.g.  \"/home/ABCDEF\".\n\nUsers who have copied this example into their production code should apply the mentioned change. The example \nhas been changed accordingly and is available in the project repository.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Server 16.0:apache-pdfbox-2.0.36-160000.1.1.noarch",
          "SUSE Linux Enterprise Server 16.0:apache-pdfbox-javadoc-2.0.36-160000.1.1.noarch",
          "SUSE Linux Enterprise Server for SAP applications 16.0:apache-pdfbox-2.0.36-160000.1.1.noarch",
          "SUSE Linux Enterprise Server for SAP applications 16.0:apache-pdfbox-javadoc-2.0.36-160000.1.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-33929",
          "url": "https://www.suse.com/security/cve/CVE-2026-33929"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1262046 for CVE-2026-33929",
          "url": "https://bugzilla.suse.com/1262046"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Server 16.0:apache-pdfbox-2.0.36-160000.1.1.noarch",
            "SUSE Linux Enterprise Server 16.0:apache-pdfbox-javadoc-2.0.36-160000.1.1.noarch",
            "SUSE Linux Enterprise Server for SAP applications 16.0:apache-pdfbox-2.0.36-160000.1.1.noarch",
            "SUSE Linux Enterprise Server for SAP applications 16.0:apache-pdfbox-javadoc-2.0.36-160000.1.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Server 16.0:apache-pdfbox-2.0.36-160000.1.1.noarch",
            "SUSE Linux Enterprise Server 16.0:apache-pdfbox-javadoc-2.0.36-160000.1.1.noarch",
            "SUSE Linux Enterprise Server for SAP applications 16.0:apache-pdfbox-2.0.36-160000.1.1.noarch",
            "SUSE Linux Enterprise Server for SAP applications 16.0:apache-pdfbox-javadoc-2.0.36-160000.1.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-06-08T14:37:26Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-33929"
    }
  ]
}

CVE-2026-3392 (GCVE-0-2026-3392)

Vulnerability from cvelistv5 – Published: 2026-03-01 11:32 – Updated: 2026-03-02 18:20

Title

FascinatedBox lily lily_emitter.c eval_tree null pointer dereference

Summary

A weakness has been identified in FascinatedBox lily up to 2.3. The affected element is the function eval_tree of the file src/lily_emitter.c. This manipulation causes null pointer dereference. The attack is restricted to local execution. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

Severity

4.8 (Medium)


                        
                          CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P

3.3 (Low)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R

3.3 (Low)


                        
                          CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R

SSVC

Exploitation: poc Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-476 - NULL Pointer Dereference
CWE-404 - Denial of Service

Assigner

VulDB

References

6 references

URL	Tags
https://vuldb.com/?id.348278	vdb-entrytechnical-description
https://vuldb.com/?ctiid.348278	signaturepermissions-required
https://vuldb.com/?submit.761328	third-party-advisory
https://github.com/FascinatedBox/lily/issues/384	issue-tracking
https://github.com/oneafter/0122/blob/main/i384/r…	exploit
https://github.com/FascinatedBox/lily/	product

Impacted products

1 product

Vendor	Product	Version
FascinatedBox	lily	Affected: 2.0 Affected: 2.1 Affected: 2.2 Affected: 2.3

Credits

Oneafter (VulDB User)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-3392",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-02T18:19:37.051026Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-02T18:20:08.297Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "lily",
          "vendor": "FascinatedBox",
          "versions": [
            {
              "status": "affected",
              "version": "2.0"
            },
            {
              "status": "affected",
              "version": "2.1"
            },
            {
              "status": "affected",
              "version": "2.2"
            },
            {
              "status": "affected",
              "version": "2.3"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Oneafter (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A weakness has been identified in FascinatedBox lily up to 2.3. The affected element is the function eval_tree of the file src/lily_emitter.c. This manipulation causes null pointer dereference. The attack is restricted to local execution. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 3.3,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 3.3,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 1.7,
            "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-476",
              "description": "NULL Pointer Dereference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-404",
              "description": "Denial of Service",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-01T11:32:11.374Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-348278 | FascinatedBox lily lily_emitter.c eval_tree null pointer dereference",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.348278"
        },
        {
          "name": "VDB-348278 | CTI Indicators (IOB, IOC, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.348278"
        },
        {
          "name": "Submit #761328 | FascinatedBox lily main-branch NULL Pointer Dereference",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.761328"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/FascinatedBox/lily/issues/384"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://github.com/oneafter/0122/blob/main/i384/repro.lily"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://github.com/FascinatedBox/lily/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-02-28T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-02-28T01:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-02-28T18:09:00.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "FascinatedBox lily lily_emitter.c eval_tree null pointer dereference"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-3392",
    "datePublished": "2026-03-01T11:32:11.374Z",
    "dateReserved": "2026-02-28T17:03:52.364Z",
    "dateUpdated": "2026-03-02T18:20:08.297Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-33929 (GCVE-0-2026-33929)

Vulnerability from cvelistv5 – Published: 2026-04-14 08:09 – Updated: 2026-04-14 19:50

Title

Apache PDFBox Examples: Path Traversal in PDFBox ExtractEmbeddedFiles Example Code

Summary

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache PDFBox Examples. This issue affects the ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.36, from 3.0.0 through 3.0.7. Users are recommended to update to version 2.0.37 or 3.0.8 once available. Until then, they should apply the fix provided in GitHub PR 427. The ExtractEmbeddedFiles example contained a path traversal vulnerability (CWE-22) mentioned in CVE-2026-23907. However the change in the releases 2.0.36 and 3.0.7 is flawed because it doesn't consider the file path separator. Because of that, a user having writing rights on /home/ABC could be victim to a malicious PDF resulting in a write attempt to any path starting with /home/ABC, e.g. "/home/ABCDEF". Users who have copied this example into their production code should apply the mentioned change. The example has been changed accordingly and is available in the project repository.

Severity

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

apache

References

3 references

URL	Tags
https://github.com/apache/pdfbox/pull/427/changes	patch
https://lists.apache.org/thread/op3lyx1ngzy4qycn0…	mailing-list
https://lists.apache.org/thread/j8l07tgzy9dm8d8n0…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache PDFBox Examples	Affected: 2.0.24 , ≤ 2.0.36 (semver) Affected: 3.0.0 , ≤ 3.0.7 (semver)

Credits

Kaixuan Li

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 4.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "LOW",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-33929",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-14T19:50:04.295675Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-14T19:50:07.000Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.pdfbox:pdfbox-examples",
          "product": "Apache PDFBox Examples",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "2.0.36",
              "status": "affected",
              "version": "2.0.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "3.0.7",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Kaixuan Li"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eImproper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in Apache PDFBox Examples.\u003c/p\u003e\u003cp\u003eThis issue affects the \nExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.36, from 3.0.0 through 3.0.7.\u003c/p\u003e\u003cp\u003e\nUsers are recommended to update to version 2.0.37 or 3.0.8 once \navailable. Until then, they should apply the fix provided in GitHub PR \n427.\u003c/p\u003e\u003cp\u003eThe ExtractEmbeddedFiles example contained a path traversal vulnerability (CWE-22) mentioned in CVE-2026-23907. However the change in the releases 2.0.36 and 3.0.7 is flawed because it doesn\u0027t consider the file path separator. Because of that, a user having writing rights on /home/ABC could be victim to a malicious PDF resulting in a write attempt to any path starting with\u0026nbsp;/home/ABC, e.g.\u0026nbsp;\"/home/ABCDEF\".\u003c/p\u003e\u003cp\u003eUsers who have copied this example into their production code should apply the mentioned change. The example \nhas been changed accordingly and is available in the project repository.\u003c/p\u003e"
            }
          ],
          "value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in Apache PDFBox Examples.\n\nThis issue affects the \nExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.36, from 3.0.0 through 3.0.7.\n\n\nUsers are recommended to update to version 2.0.37 or 3.0.8 once \navailable. Until then, they should apply the fix provided in GitHub PR \n427.\n\nThe ExtractEmbeddedFiles example contained a path traversal vulnerability (CWE-22) mentioned in CVE-2026-23907. However the change in the releases 2.0.36 and 3.0.7 is flawed because it doesn\u0027t consider the file path separator. Because of that, a user having writing rights on /home/ABC could be victim to a malicious PDF resulting in a write attempt to any path starting with\u00a0/home/ABC, e.g.\u00a0\"/home/ABCDEF\".\n\nUsers who have copied this example into their production code should apply the mentioned change. The example \nhas been changed accordingly and is available in the project repository."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "low"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-14T08:09:39.517Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/apache/pdfbox/pull/427/changes"
        },
        {
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread/op3lyx1ngzy4qycn06l6hljyf28ff0zs"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/j8l07tgzy9dm8d8n0f3c45h7zg7t3ld6"
        }
      ],
      "source": {
        "defect": [
          "PDFBOX-6180"
        ],
        "discovery": "EXTERNAL"
      },
      "title": "Apache PDFBox Examples: Path Traversal in PDFBox ExtractEmbeddedFiles Example Code",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-33929",
    "datePublished": "2026-04-14T08:09:39.517Z",
    "dateReserved": "2026-03-24T17:06:35.279Z",
    "dateUpdated": "2026-04-14T19:50:07.000Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

SUSE-SU-2026:22088-1

CVE-2026-3392 (GCVE-0-2026-3392)

CVE-2026-33929 (GCVE-0-2026-33929)

Tags

Sightings

Nomenclature