Home

Description

MuPDF before 1.27 contains an ANSI injection vulnerability in mutool that allows attackers to inject arbitrary ANSI escape sequences through crafted PDF metadata fields. Attackers can embed malicious ANSI escape codes in PDF metadata that are passed unsanitized to terminal output when running mutool info, enabling them to manipulate terminal display for social engineering attacks such as presenting fake prompts or spoofed commands.

PUBLISHED Reserved 2026-04-13 | Published 2026-04-16 | Updated 2026-04-17 | Assigner VulnCheck




MEDIUM: 4.8CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

LOW: 3.3CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Problem types

CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences

Product status

Default status
unaffected

Any version before 1.27.0
affected

0f17d789fe8c29b41e47663be82514aaca3a4dfb (git)
affected

Credits

Niel Duysters finder

References

github.com/ArtifexSoftware/mupdf/releases/tag/1.27.0 release-notes

github.com/...ommit/0f17d789fe8c29b41e47663be82514aaca3a4dfb patch

cgit.ghostscript.com/...d789fe8c29b41e47663be82514aaca3a4dfb issue-tracking

www.vulncheck.com/...updf-mutool-ansi-injection-via-metadata third-party-advisory

cve.org (CVE-2026-40505)

nvd.nist.gov (CVE-2026-40505)

Download JSON