CVE-2026-33929

Improper Limitation of a Pathname to a Restricted Directory (&amp;#39;Path Traversal&amp;#39;) vulnerability in Apache PDFBox Examples.<br /> <br /> This issue affects the <br /> ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.36, from 3.0.0 through 3.0.7.<br /> <br /> <br /> Users are recommended to update to version 2.0.37 or 3.0.8 once <br /> available. Until then, they should apply the fix provided in GitHub PR <br /> 427.<br /> <br /> The ExtractEmbeddedFiles example contained a path traversal vulnerability (CWE-22) mentioned in CVE-2026-23907. However the change in the releases 2.0.36 and 3.0.7 is flawed because it doesn&amp;#39;t consider the file path separator. Because of that, a user having writing rights on /home/ABC could be victim to a malicious PDF resulting in a write attempt to any path starting with /home/ABC, e.g. "/home/ABCDEF".<br /> <br /> Users who have copied this example into their production code should apply the mentioned change. The example <br /> has been changed accordingly and is available in the project repository.