CVE-2026-34071 is a cross-site scripting (XSS) vulnerability classified under CWE-79 that affects Stirling-Tools' Stirling-PDF, a locally hosted web application designed for PDF file operations. Specifically, version 2.7.3 of Stirling-PDF contains a flaw in the /api/v1/convert/eml/pdf endpoint when the parameter downloadHtml=true is set. This endpoint returns the email body content as HTML without proper sanitization, serving it with a Content-Type of text/html. Consequently, if an attacker sends a crafted malicious email containing embedded JavaScript or other executable HTML content, and a user exports this email using the 'Download HTML intermediate file' feature, the malicious script executes in the user's browser context. This can lead to unauthorized actions such as session hijacking, data theft, or manipulation of the application interface. The vulnerability does not require authentication but does require user interaction to trigger the exploit. The CVSS v3.1 base score is 5.4 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, user interaction required, and limited confidentiality and integrity impact without availability impact. The issue was addressed and fixed in Stirling-PDF version 2.8.0. No known exploits in the wild have been reported to date. This vulnerability highlights the risks of improper input neutralization during web page generation in locally hosted applications that process potentially untrusted content such as emails.

The primary impact of CVE-2026-34071 is on the confidentiality and integrity of data processed by Stirling-PDF. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of the affected user's browser, potentially leading to session hijacking, theft of sensitive information, or unauthorized actions within the application or related systems. Since Stirling-PDF is locally hosted and used for handling PDF conversions from emails, organizations relying on it for processing sensitive communications may face data leakage or manipulation risks. The requirement for user interaction (exporting the email) limits the attack scope but does not eliminate risk, especially in environments with high email volumes or where users may be less security-aware. There is no direct impact on system availability. The vulnerability could be leveraged in targeted spear-phishing campaigns to compromise specific users or systems. Overall, organizations using the affected version risk exposure to client-side attacks that can undermine trust and data security.

To mitigate CVE-2026-34071, organizations should immediately upgrade Stirling-PDF to version 2.8.0 or later, where the vulnerability is fixed. Until the upgrade is applied, restrict access to the /api/v1/convert/eml/pdf endpoint, especially the downloadHtml=true parameter, through network controls or application-layer firewalls. Educate users about the risks of exporting email content and encourage caution with emails from untrusted sources. Implement Content Security Policy (CSP) headers in the hosting environment to restrict execution of unauthorized scripts. Conduct regular security reviews of locally hosted web applications that process untrusted input, ensuring proper input validation and output encoding. Monitor logs for unusual export activity or attempts to access the vulnerable endpoint. Consider isolating the Stirling-PDF service in a segmented network zone to limit potential lateral movement if compromised. Finally, maintain updated backups and incident response plans to quickly address any exploitation attempts.