CVE-2026-27625 is a path traversal vulnerability classified under CWE-22 and CWE-23 affecting Stirling-PDF, a locally hosted web application for PDF operations. The vulnerability resides in the /api/v1/convert/markdown/pdf endpoint, which processes user-supplied ZIP files by extracting their contents. Prior to version 2.5.2, the application fails to properly validate or restrict the paths of ZIP entries during extraction, allowing authenticated users to craft ZIP archives containing entries with directory traversal sequences (e.g., ../) that escape the intended temporary working directory. This improper limitation enables arbitrary file writes anywhere the stirlingpdfuser process has write permissions. The attacker can overwrite existing files, potentially leading to data corruption, unauthorized modification of application files, or insertion of malicious code. The vulnerability requires authentication but no additional user interaction, and the attack surface includes any system where Stirling-PDF is deployed and accessible to authenticated users. The CVSS 3.1 score of 8.1 reflects network attack vector, low attack complexity, required privileges, no user interaction, and high impact on integrity and availability. The flaw was addressed in version 2.5.2 by implementing proper path validation and restrictions during ZIP extraction. No public exploits have been observed yet, but the risk remains significant due to the potential for privilege abuse and system compromise.

This vulnerability allows authenticated users to write arbitrary files with the permissions of the stirlingpdfuser process, which can lead to overwriting critical files and compromising data integrity. Depending on the file system permissions and the environment, attackers could escalate the impact by modifying configuration files, injecting malicious code, or disrupting application availability. Organizations relying on Stirling-PDF for document processing may face data corruption, service outages, or unauthorized system modifications. The compromise of integrity and availability can affect business operations, regulatory compliance, and trustworthiness of document workflows. Since the vulnerability requires authentication, insider threats or compromised user accounts pose a significant risk. The absence of known exploits in the wild reduces immediate risk but does not eliminate the potential for targeted attacks, especially in environments where Stirling-PDF is widely deployed or exposed to multiple users.

1. Upgrade Stirling-PDF to version 2.5.2 or later, where the vulnerability is fixed with proper path validation during ZIP extraction. 2. Restrict access to the Stirling-PDF application to trusted users only and enforce strong authentication mechanisms to reduce the risk of unauthorized exploitation. 3. Implement strict file system permissions for the stirlingpdfuser process, limiting write access only to necessary directories to minimize the impact of arbitrary file writes. 4. Monitor application logs and file system changes for unusual activity indicative of exploitation attempts, such as unexpected file modifications outside the temporary directory. 5. Employ network segmentation and application-level firewalls to limit exposure of the Stirling-PDF service to internal or trusted networks. 6. Conduct regular security audits and penetration tests focusing on file upload and extraction functionalities to detect similar path traversal issues. 7. Educate users about the risks of sharing credentials and enforce least privilege principles to reduce the attack surface.