What is CVE-2026-33929?

CVE-2026-33929 is a unknown severity vulnerability classified as Path Traversal. Affected versions: ≤ 2.0.36. Visit OsVault for full remediation guidance.

How severe is CVE-2026-33929?

CVE-2026-33929 has been classified as UNKNOWN severity.

April 14, 2026

CVE-2026-33929

UNKNOWN SEVERITY

Executive Summary

Vn. Specifier≤ 2.0.36

VulnerabilityPath Traversal

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache PDFBox Examples. This issue affects the ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.36, from 3.0.0 through 3.0.7. Users are recommended to update to version 2.0.37 or 3.0.8 once available. Until then, they should apply the fix provided in GitHub PR 427. The ExtractEmbeddedFiles example contained a path traversal vulnerability (CWE-22) mentioned in CVE-2026-23907. However the change in the releases 2.0.36 and 3.0.7 is flawed because it doesn't consider the file path separator. Because of that, a user having writing rights on /home/ABC could be victim to a malicious PDF resulting in a write attempt to any path starting with /home/ABC, e.g. "/home/ABCDEF". Users who have copied this example into their production code should apply the mentioned change. The example has been changed accordingly and is available in the project repository.

Quantitative Risk Analysis

OSVAULT RISK

Exploit Maturity

UNPROVEN

OsVault Risk Score Methodology

The OsVault composite score is a 5-layer non-linear engine — not a simple weighted average. Each input signal is transformed through mathematically appropriate curves before blending, ensuring that exploitability context overrides raw severity when warranted.

Layer	Signal	This CVE	Transformed Value
L1	Technical Severity	CVSS —/10	0.0 (piecewise exponential × vector modifiers)
L2	Threat Intelligence	EPSS 0.000% · Unproven	27.8 (sigmoid EPSS k=40 + maturity tier base)
L3	CISA KEV Status	Not listed	No floor applied
∑	Composite: 50% Technical + 40% Threat + 10% Context		44.11

Layer 1 (Technical): CVSS is mapped through a piecewise exponential curve with 4 bands (LOW 0–20, MEDIUM 20–55, HIGH 55–85, CRITICAL 85–100), then multiplied by full CVSS vector decomposition factors for Attack Vector, Complexity, Privileges, and User Interaction.

Layer 2 (Threat): Raw EPSS is passed through a logistic sigmoid (k=40, midpoint=0.05) to maximize discrimination in the decision-relevant range. The result is added to an exploit maturity tier base score (Weaponized: 85, Functional: 55, PoC: 40, Unproven: 18).

Layer 3 (KEV Floor):Any CVE in CISA's catalog receives a hard minimum of 93.0 (Functional) or 97.0 (Weaponized). This ensures confirmed exploitation is never buried by low CVSS scores.

Scores ≥70: patch immediately. 40–69: schedule within current sprint. Below 40: standard maintenance cycle.

Relevant Threat Intelligence

Other Vulnerabilities from April 2026

CVE-2025-13822

MCPHub in versions below 0.11.0 is vulnerable to authentication bypass. Some endpoints are not protected by authentication middleware, allowing an unauthenticated attacker to perform actions in the name of other users and using their privileges.

CVE-2026-4109MEDIUM

The Eventin – Events Calendar, Event Booking, Ticket & Registration (AI Powered) plugin for WordPress is vulnerable to unauthorized access of data due to a improper capability check on the get_item_permissions_check() function in all versions up to, and including, 4.1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read arbitrary order data including customer PII (name, email, phone) by iterating order IDs.

CVE-2026-33892HIGH

A vulnerability has been identified in Industrial Edge Management Pro V1 (All versions >= V1.7.6 < V1.15.17), Industrial Edge Management Pro V2 (All versions >= V2.0.0 < V2.1.1), Industrial Edge Management Virtual (All versions >= V2.2.0 < V2.8.0). Affected management systems do not properly enforce user authentication on remote connections to devices. This could facilitate an unauthenticated remote attacker to circumvent authentication and impersonate a legitimate user. Successful exploitation requires that the attacker has identified the header and port used for remote connections to devices and that the remote connection feature is enabled for the device. Exploitation allows the attacker to tunnel to the device. Security features on this device itself (e.g. app specific authentication) are not affected.

CVE-2026-31924

Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. tencent-cloud-cls log export uses plaintext HTTP This issue affects Apache APISIX: from 2.99.0 through 3.15.0. Users are recommended to upgrade to version 3.16.0, which fixes the issue.

Are you affected by CVE-2026-33929?

Integrate OsVault's static analysis engine directly into your repository to uncover unreachable downstream vulnerabilities implicitly bypassing your firewall rules.

Run Platform Scan →