CVE-2026-40505
4.8
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Summary
MuPDF before 1.27 contains an ANSI injection vulnerability in mutool that allows attackers to inject arbitrary ANSI escape sequences through crafted PDF metadata fields. Attackers can embed malicious ANSI escape codes in PDF metadata that are passed unsanitized to terminal output when running mutool info, enabling them to manipulate terminal display for social engineering attacks such as presenting fake prompts or spoofed commands.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Artifex Software Inc. | MuPDF | 0 < 1.27.0 | affected |
| Artifex Software Inc. | MuPDF | 0f17d789fe8c29b41e47663be82514aaca3a4dfb | affected |
Weaknesses
- CWE-150: CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/ArtifexSoftware/mupdf/releases/tag/1.27.0
- https://github.com/ArtifexSoftware/mupdf/commit/0f17d789fe8c29b41e47663be82514aaca3a4dfb
- https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=0f17d789fe8c29b41e47663be82514aaca3a4dfb
- https://www.vulncheck.com/advisories/mupdf-mutool-ansi-injection-via-metadata
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.