CVE-2026-40505

MuPDF before 1.27 contains an ANSI injection vulnerability in mutool that allows attackers to inject arbitrary ANSI escape sequences through crafted PDF metadata fields. Attackers can embed malicious ANSI escape codes in PDF metadata that are passed unsanitized to terminal output when running mutool info, enabling them to manipulate terminal display for social engineering attacks such as presenting fake prompts or spoofed commands.

CVSS v3 3.3 LOW

3.3^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 1.4

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=0f17d789fe8c29b41e47663be82514aaca3a4dfb	Patch
https://github.com/ArtifexSoftware/mupdf/commit/0f17d789fe8c29b41e47663be82514aaca3a4dfb	Patch
https://github.com/ArtifexSoftware/mupdf/releases/tag/1.27.0	Product
https://www.vulncheck.com/advisories/mupdf-mutool-ansi-injection-via-metadata	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:artifex:mupdf:*:*:*:*:*:*:*:*

History

26 May 2026, 18:42

Type	Values Removed	Values Added
First Time		Artifex mupdf Artifex
CPE		cpe:2.3:a:artifex:mupdf::::::::
References	~~() https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=0f17d789fe8c29b41e47663be82514aaca3a4dfb -~~	() https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=0f17d789fe8c29b41e47663be82514aaca3a4dfb - Patch
References	~~() https://github.com/ArtifexSoftware/mupdf/commit/0f17d789fe8c29b41e47663be82514aaca3a4dfb -~~	() https://github.com/ArtifexSoftware/mupdf/commit/0f17d789fe8c29b41e47663be82514aaca3a4dfb - Patch
References	~~() https://github.com/ArtifexSoftware/mupdf/releases/tag/1.27.0 -~~	() https://github.com/ArtifexSoftware/mupdf/releases/tag/1.27.0 - Product
References	~~() https://www.vulncheck.com/advisories/mupdf-mutool-ansi-injection-via-metadata -~~	() https://www.vulncheck.com/advisories/mupdf-mutool-ansi-injection-via-metadata - Third Party Advisory

17 Apr 2026, 17:17

Type	Values Removed	Values Added
References		() https://github.com/ArtifexSoftware/mupdf/commit/0f17d789fe8c29b41e47663be82514aaca3a4dfb - () https://github.com/ArtifexSoftware/mupdf/releases/tag/1.27.0 -
Summary	(en) MuPDF mutool does not sanitize PDF metadata fields before writing them to terminal output, allowing attackers to inject arbitrary ANSI escape sequences through crafted PDF metadata. Attackers can embed malicious ANSI escape codes in PDF metadata that are passed unsanitized to the terminal when running mutool info, enabling them to clear the terminal display and render arbitrary text for social engineering attacks such as presenting fake prompts or spoofed commands.	(en) MuPDF before 1.27 contains an ANSI injection vulnerability in mutool that allows attackers to inject arbitrary ANSI escape sequences through crafted PDF metadata fields. Attackers can embed malicious ANSI escape codes in PDF metadata that are passed unsanitized to terminal output when running mutool info, enabling them to manipulate terminal display for social engineering attacks such as presenting fake prompts or spoofed commands.

16 Apr 2026, 02:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-16 02:16

Updated : 2026-05-26 18:42

NVD link : CVE-2026-40505

Mitre link : CVE-2026-40505

CVE.ORG link : CVE-2026-40505

JSON object : View

Products Affected

artifex

mupdf

CWE

CWE-150

Improper Neutralization of Escape, Meta, or Control Sequences

3.3 /10