QwikSec

Security Database

CVE

CWE

Training

CVE-2026-40505

Published: Apr 16, 2026

Modified: Apr 17, 2026

PUBLISHED

CVSS v3.1

3.3

LOW

Description

MuPDF before 1.27 contains an ANSI injection vulnerability in mutool that allows attackers to inject arbitrary ANSI escape sequences through crafted PDF metadata fields. Attackers can embed malicious ANSI escape codes in PDF metadata that are passed unsanitized to terminal output when running mutool info, enabling them to manipulate terminal display for social engineering attacks such as presenting fake prompts or spoofed commands.

Vendor	Product	Versions
Artifex Software Inc.	MuPDF	affected `0 - < 1.27.0` affected `0f17d789fe8c29b41e47663be82514aaca3a4dfb`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

References

https://github.com/ArtifexSoftware/mupdf/releases/tag/1.27.0

release-notes

https://github.com/ArtifexSoftware/mupdf/commit/0f17d789fe8c29b41e47663be82514aaca3a4dfb

patch

https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=0f17d789fe8c29b41e47663be82514aaca3a4dfb

issue-tracking

https://www.vulncheck.com/advisories/mupdf-mutool-ansi-injection-via-metadata

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.