CVE-2026-40505 MEDIUM

CVE-2026-40505: MuPDF < 1.27 mutool ANSI Injection via Metadata

Vendor Artifex Software Inc.
Product MuPDF
Weakness CWE-150
Published April 16, 2026
Last update April 17, 2026

CVSS base score

4.8/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

MuPDF before 1.27 contains an ANSI injection vulnerability in mutool that allows attackers to inject arbitrary ANSI escape sequences through crafted PDF metadata fields. Attackers can embed malicious ANSI escape codes in PDF metadata that are passed unsanitized to terminal output when running mutool info, enabling them to manipulate terminal display for social engineering attacks such as presenting fake prompts or spoofed commands.

Key dates

02Disclosure timeline

April 16, 2026 CVE published
April 17, 2026 Record updated